| # Intrusion Prevention System (IPS) |
| [With IPFire 2.23 - Core Update 130](https://blog.ipfire.org/post/introducing-ipfire-s-new-intrusion-prevention-system), IPFire employs [Suricata](https://www.suricata-ids.org/) as IPS which is secure and fast. It is possible to analyse multiple Gigabit per second on a fast system and search for any malicious traffic. |
| ### How does it work? |
| In IPFire, the IPS supplements the packet filter by not only being able to classify traffic by IP address, protocol and port, but can also look into the packet. By decoding protocols like DNS, HTTP and many more, it can gather additional knowledge about the traffic and identify any unexpected behaviour. |
| Packets are being passed through the IPS before they are being sent to the firewall engine. However, the [](../geoip-block) is working in front of the IPS. If a packet is considered malicious it will be dropped by the IPS. |
| ## Configuration |
| FIXME Add screenshot of main page |
| The configuration of the IPS has a couple of different steps. On the main page, the system can be enabled or disable. |
| At least one network zone has to be selected. All traffic coming from, or going to that zone is being passed to the IPS and being filtered. Traffic of deselected zones is passing through the firewall without scanning. |
| ### Monitor Only Mode |
| Traffic can also just be analysed, but the IPS will not take any action if a packet is considered dangerous. It will be logged, but will pass into the network. |
| This is useful for debugging rulesets and when you are not sure if you are not accidentally overblocking. |
| ### Whitelisting Hosts |
| In case of constant false-positives, hosts can be whitelisted. They will no longer be blocked when they are on this list. |
| FIXME Screenshot |
| As well as hosts, networks (including subnet mask) can be whitelisted, too. |
| ## Rulesets |
| In this configuration area, all required settings for downloading, updating and of course, the used ruleset can be taken. |
| The ruleset is one of the most important parts in an IPS. It defines what is being scanned and what can be found. They basically work like signatures of a virus scanner. Therefore they have to be kept up to date, too. |
| * [](./rulesets) |
| FIXME - Picture of the ruleset section |
| To get a ruleset, choose the desired one from the dropdown box and enter the registration code in the input field, if necessary. After that hit the "Save" button for the changes to take effect. The download the rule database automatically will be started and extracted. This procedure may take a while; the actual speed depends from your internet connection speed and the clock speed of your CPU. |
| ### IDS rules |
| This option allows to select which ruleset should be used. There are currently four sources available: |
| -*Emergingthreats.net Community Rules* -- They are free and community-maintained rules ([further information](http://docs.emergingthreats.net/)) and cover scanning activities, attack patterns agains various protocols, blacklists and more. No registration is required to use those rules. |
| -*Snort/VRT GPLv2 Community Rules* -- These are free and GPL licenced snort rules. Usually, the quality is good. Accoding to the [Snort blog](https://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html), no registration is required. |
| -*Sourcefire VRT rules for registered users* -- These rules are usually more than 30 days old and can be used for free. Registration is required. Usually, the quality of these rules is a bit better than these of the*Emergingthreats.net Community Rules*. |
| -*Sourcefire VRT rules with subscription* -- Same as above, but they are chargeable and more current. These might be useful in productive environment, where you need reliable and up-to-date IDS rules. |
| #### Choose rules |
| This part is the most difficult: You need to choose which rules should be active. |
|  |
| This decision depends on the needs of your network (like operating systems in use, active services, protocols in use). Please refer to the homepage of your rule source to get further information about the purpose of some rule categories; |
| * [Snort](https://www.snort.org/rules_explanation) |
| * [Emerging Threats](http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#What_is_the_general_intent_of_ea) |
| Some rules are based on blacklists (such as the Emerging Threats CIArmy list) and indicate that a certain IP has a bad reputation for some reason. This does not necessarily mean that it attacked your firewall, in case it appears in the log files, unless it triggered some other rules. Nevertheless, it is usually safe to use IDS rules based on blocklists since they are very conservative most of the time, making blocking a legitimate IP address very unlikely. |
| We cannot give you any advice here. |
| Select the rules you want to be active by clicking at the checkbox. After that, hit the "update" button at the end of the web page. The IDS will restart now to apply the changes. |
| FIXME - Move the next stuff to an own wiki page |
| ## Performance Considerations |
| A deep analysis of traffic requires a lot of resources in terms of CPU and memory. [Read more](./performance-considerations) about what resources are needed for which environment. |
| ## FAQ |
| ### What is an Intrusion Prevention System? |
| An [](wp>Intrusion Detection System) (IDS) is a program or a framework supposed to analyze network traffic and to detect a certain attacks. It does not replace a packet filter (which is enabled in IPFire by default, see [](/configuration/firewall)) but can eliminate some limitations of it. |
| There are basically two types of IDSs: Host-based Intrusion Detection Systems (HIDS), which are running on a single computer, and Network-based Intrusion Detection Systems (NIDS). A NIDS is able to protect a complete network and traditionally is running on a firewall, gateway or dedicated server. |
| An second classification can be done by the taken action, if any intrusion has been detected. A typical IDS or NIDS reports and logs malicious activity but does not perform any kind of action against it. An [](wp>Intrusion Prevention System) (IPS), also known as Intrusion Detection and Prevention System (IDPS), is a program or security appliance that monitors network or system activities for malicious activity and log information about this activity, report it and attempt to block or stop it. |
| IPFire features a Network-based Intrusion Detection System with Intrusion Prevention System capabilities. |
| ## Further Reading |
| * [The Snort Cookbook](https://ssearch.oreilly.com/?q=Snort+Cookbook) |
| * [Overview of the Emergingthreats.net Community Rules](http://docs.emergingthreats.net/bin/view/Main/AllRulesets) |
| * [FAQ to the Emergingthreats.net Community Rules](http://docs.emergingthreats.net/bin/view/Main/EmergingFAQ) |
| * [The CIArmy list (blacklist)](http://cinsscore.com/#list) |
| * [Open Threat Intelligence](https://cymon.io/) |
| * [Mailing list for updates to the Emerging Threats IDS rules](https://lists.emergingthreats.net/mailman/listinfo/emerging-updates) |
| * [SpamHaus DROP list](https://www.spamhaus.org/drop/) |