| # Intrusion Prevention System (IPS) |
| [With IPFire 2.23 - Core Update 130](https://blog.ipfire.org/post/introducing-ipfire-s-new-intrusion-prevention-system), IPFire employs [Suricata](https://www.suricata-ids.org/) as IPS which is secure and fast. It is possible to analyse multiple Gigabit per second on a fast system and search for any malicious traffic. |
| ### How does it work? |
| In IPFire, the IPS supplements the packet filter by not only being able to classify traffic by IP address, protocol and port, but can also look into the packet. By decoding protocols like DNS, HTTP and many more, it can gather additional knowledge about the traffic and identify any unexpected behaviour. |
| Packets are being passed through the IPS before they are being sent to the firewall engine. However, the [](../geoip-block) is working in front of the IPS. If a packet is considered malicious it will be dropped by the IPS. |
| ## Configuration |
| FIXME Add screenshot of main page |
| The configuration of the IPS has a couple of different steps. On the main page, the system can be enabled or disable. |
| At least one network zone has to be selected. All traffic coming from, or going to that zone is being passed to the IPS and being filtered. Traffic of deselected zones is passing through the firewall without scanning. |
| ### Monitor Only Mode |
| Traffic can also just be analysed, but the IPS will not take any action if a packet is considered dangerous. It will be logged, but will pass into the network. |
| This is useful for debugging rulesets and when you are not sure if you are not accidentally overblocking. |
| ### Whitelisting Hosts |
| In case of constant false-positives, hosts can be whitelisted. They will no longer be blocked when they are on this list. |
| FIXME Screenshot |
| As well as hosts, networks (including subnet mask) can be whitelisted, too. |
| ## Rulesets |
| The ruleset is one of the most important parts in an IPS. It defines what is being scanned and what can be found. They basically work like signatures of a virus scanner. Therefore they have to be kept up to date, too. |
| * [](./rulesets) |
| * [](./rule-selection) |
| #### Choose rules |
| This part is the most difficult: You need to choose which rules should be active. |
|  |
| This decision depends on the needs of your network (like operating systems in use, active services, protocols in use). Please refer to the homepage of your rule source to get further information about the purpose of some rule categories; |
| * [Snort](https://www.snort.org/rules_explanation) |
| * [Emerging Threats](http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#What_is_the_general_intent_of_ea) |
| Some rules are based on blacklists (such as the Emerging Threats CIArmy list) and indicate that a certain IP has a bad reputation for some reason. This does not necessarily mean that it attacked your firewall, in case it appears in the log files, unless it triggered some other rules. Nevertheless, it is usually safe to use IDS rules based on blocklists since they are very conservative most of the time, making blocking a legitimate IP address very unlikely. |
| We cannot give you any advice here. |
| Select the rules you want to be active by clicking at the checkbox. After that, hit the "update" button at the end of the web page. The IDS will restart now to apply the changes. |
| FIXME - Move the next stuff to an own wiki page |
| ## Performance Considerations |
| A deep analysis of traffic requires a lot of resources in terms of CPU and memory. [Read more](./performance-considerations) about what resources are needed for which environment. |
| ## FAQ |
| ### What is an Intrusion Prevention System? |
| An [](wp>Intrusion Detection System) (IDS) is a program or a framework supposed to analyze network traffic and to detect a certain attacks. It does not replace a packet filter (which is enabled in IPFire by default, see [](/configuration/firewall)) but can eliminate some limitations of it. |
| There are basically two types of IDSs: Host-based Intrusion Detection Systems (HIDS), which are running on a single computer, and Network-based Intrusion Detection Systems (NIDS). A NIDS is able to protect a complete network and traditionally is running on a firewall, gateway or dedicated server. |
| An second classification can be done by the taken action, if any intrusion has been detected. A typical IDS or NIDS reports and logs malicious activity but does not perform any kind of action against it. An [](wp>Intrusion Prevention System) (IPS), also known as Intrusion Detection and Prevention System (IDPS), is a program or security appliance that monitors network or system activities for malicious activity and log information about this activity, report it and attempt to block or stop it. |
| IPFire features a Network-based Intrusion Detection System with Intrusion Prevention System capabilities. |
| ## Further Reading |
| * [The Snort Cookbook](https://ssearch.oreilly.com/?q=Snort+Cookbook) |
| * [Overview of the Emergingthreats.net Community Rules](http://docs.emergingthreats.net/bin/view/Main/AllRulesets) |
| * [FAQ to the Emergingthreats.net Community Rules](http://docs.emergingthreats.net/bin/view/Main/EmergingFAQ) |
| * [The CIArmy list (blacklist)](http://cinsscore.com/#list) |
| * [Open Threat Intelligence](https://cymon.io/) |
| * [Mailing list for updates to the Emerging Threats IDS rules](https://lists.emergingthreats.net/mailman/listinfo/emerging-updates) |
| * [SpamHaus DROP list](https://www.spamhaus.org/drop/) |