Recently I added Suricata service to pfSense. Under Suricata Global Settings I have checked the following :
Install ETOpen
Install Snort VRT Rules
Install Snort Community Rules
I have checked/enabled the following under Suricata IDS / Interface WAN – Categories:
Resolve Flowbits
Snort GPLv2 Community Rules (VRT certified)
emerging-activex.rules
emerging-attack_response.rules
emerging-botcc.portgrouped.rules
emerging-botcc.rules
emerging-ciarmy.rules
emerging-compromised.rules
emerging-current_events.rules
emerging-dns.rules
emerging-dos.rules
emerging-dshield.rules
emerging-exploit.rules
emerging-ftp.rules
emerging-icmp.rules
emerging-icmp_info.rules
emerging-inappropriate.rules
emerging-malware.rules
emerging-rbn-malwaretisers.rules
emerging-sql.rules
emerging-tor.rules
emerging-trojan.rules
emerging-worm.rules
My question is when I look at any of the Rule Signature ID (SID) Enable/Disable Overrides in Suricata / Interface WAN / Rules:decoder-events.rules section I notice that most of the States are Default Enabled (Circle Green Checked). However, some of the States are Default Disabled (Circle Red X). Should I Enable All of the States of leave them as they are? Also can I get some input on the existing Emerging rulesets that I have enabled. Are they too much or too little?
Thank you in advance