Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Understanding Snort "Block Offenders" and "IPS Policy Selection" options

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 924 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      vinc.pii
      last edited by

      The "IPS Policy Selection" in the Snort " <iface>Categories" configuration has the following description:

      Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy. It is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity. Security is a stringent policy. It contains everything in the first two plus policy-type rules such as a Flash object in an Excel file.

      It's not clear to me how this relates to the "Block Offenders" option in " <iface>Settings".

      I assume that, if "Block Offenders" is not checked, then Snort works purely as IDS, so it won't block anything, regardless of how the "IPS Policy Selection" is configured. Is this correct?

      So, the "IPS Policy Selection" only determines what is identified as an intrusion. Whether this is blocked or not then depends on the "Block Offenders" status. Is this correct?

      Many thanks to anyone that can help clarifying this!

      P.S.: I also posted this on the pfsense subreddit, but it was for some reason removed.</iface></iface>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.