How to Choose Suricata RuleSets on OPNsense — Practical Guide & Best Recommendations

Posted on by Rico

In modern network security, Suricata IDS/IPS is one of the most important protection layers on OPNsense.
However, after OPNsense 25.x updated the Intrusion Detection UI, many users become confused when they see a long list of RuleSets under the “Download” tab.

What should you enable?
Which RuleSets are safe?
Which ones cause false positives?

This guide explains how to choose Suricata rules safely, effectively, and without breaking your network.

🧩 1. Why Are There So Many RuleSets?

OPNsense organizes Suricata rules into multiple sources:

  • abuse.ch feeds
  • ET Open categories
  • Emerging Threats rules
  • BotCC, Compromised, Dshield
  • ET Pro Telemetry (if available)

Each RuleSet contains hundreds or thousands of signatures. Enabling all of them will cause:

❌ Many false positives
❌ Internal systems being blocked
❌ High CPU usage
❌ A flood of logs

So the goal is not to enable everything — only the most useful and safe RuleSets.

🧩 2. Recommended Suricata RuleSets (Safe, Low False Positives)

Here is the best combination for most environments, especially business networks.

1️⃣ abuse.ch RuleSets (Highly Recommended)

These rule feeds provide extremely clean and reliable threat intelligence.

Enable:

  • ✔ abuse.ch/Feodo Tracker
  • ✔ abuse.ch/ThreatFox
  • ✔ abuse.ch/SSL IP Blacklist
  • ✔ abuse.ch/SSL Fingerprint Blacklist
  • ✔ abuse.ch/URLHaus

These block:

  • Botnets
  • C2 servers
  • Malware distribution
  • Malicious SSL endpoints
  • Malicious URLs

False positives are extremely rare.

2️⃣ ET Open (Enable only the essential categories)

Do not enable everything.
Only enable the high-value, low-noise groups:

  • ✔ ET open/botcc
  • ✔ ET open/compromised
  • ✔ ET open/dshield
  • ✔ ET open/malware
  • ✔ ET open/trojan

These provide solid protections without internal interference.

3️⃣ ET Pro Telemetry (If available)

If your system shows:

ET pro telemetry

Enable it.
It provides improved detection with lower false positives (free version).

🧩 3. Minimalist “Zero-False-Positive” RuleSet

If your priority is stability and low risk:

Enable only:

✔ Feodo
✔ ThreatFox
✔ URLHaus
✔ SSL IP Blacklist
✔ SSL Fingerprint Blacklist

This set alone blocks most modern threats with almost zero impact to your services.

🧩 4. RuleSets You Should Avoid

These categories commonly cause false positives and internal service disruption:

  • ✘ ET open/policy
  • ✘ ET open/info
  • ✘ ET open/netbios
  • ✘ ET open/p2p
  • ✘ ET open/chat
  • ✘ ET open/activex
  • ✘ ET open/adware
  • ✘ ET open/browser
  • ✘ ET open/smb
  • ✘ ET open/misc

They trigger alerts for many legitimate internal applications (NAS, SMB, Teams, ERP systems).

🧩 5. Recommended Suricata Strategy (Business Environment)

✔ WAN → IPS Mode

Block external threats.

✔ LAN → IDS Mode

Detect only — avoid breaking internal traffic.

✔ Combine Suricata + Zenarmor

  • Suricata: Threat detection + IPS
  • Zenarmor: L7 filtering + application control

This combination provides complete coverage.

🧩 6. Conclusion: More Rules ≠ More Security

Suricata becomes effective not by enabling everything, but by enabling the right things.

Best practice:

💡 Enable abuse.ch RuleSets
💡 Enable essential ET Open categories
💡 WAN = IPS, LAN = IDS
💡 Avoid noisy categories
💡 Combine with Zenarmor for L7 control

This gives you strong protection with minimal risk and minimal maintenance effort.