Do I Need IPS ?

DaddyGo

Agree wholeheartedly with @johnpoz here. On a home network, an IPS requires a lot of upfront knowledge to configure and a lot of labor to maintain.

Hi Bill,
Long time no "see", but I hope all is well.

Very true, but I still love this approach (if I can call it IPS stuff), sure the yes the learning curve can be steep, but let's not take away anyone's enthusiasm.
When you're pushing this in a production environment, you're past a home and/or VM/test system... (I hope so)

BTW:
I'm still impressed by your work

bmeeks

@DaddyGo said in Do I Need IPS ?:

sure the yes the learning curve can be steep, but let's not take away anyone's enthusiasm.

I don't mean to discourage someone who wants to try it out for the learning experience, but there are a fair number of users that install it without fully understanding what it is and how to maintain it. They then post here with frustrations because something is blocked. Unintended blocking will happen a lot with a typical home setup unless the admin is skilled in the craft of IDS/IPS.

But this is also a problem with all of the packages that can "block things" such as Snort, Suricata, pfBlocker, SquidGuard, etc. I am always amazed at the posts where someone installs one or more of those packages on their pfSense and then posts asking "... why is pfSense blocking xyz site?". It makes me want to whack them on the side of their head and ask "do you think it could possibly be one of those packages you installed that are intrinsically designed to block stuff? Have you checked if one of those packages is blocking the desired traffic?" . And many times it takes two or three rounds of back and forth questions to pry out of them the tidbit that they have indeed installed one (or even several) of the blocking packages.

michmoor

@bmeeks The pros and cons of making a product available to the masses.
The solution would be to gatekeep this behind a VAR and high cost support packages :)

oznet

@michmoor sounds like I will fore go the IPS aspect and stick to blocking ads

JonathanLee

DO IT!!! IPS/IDS both have fun setting it up too,

I added some alias rules to do not block lists as SNORT takes some time to fine tune, once it's tuned its great!!

83 plus blocks in 1 hour of invasive actors.

Mine even does auto scan blocking, that was fun to set up as roblox like to scan when it starts up.

I have a nice ACL for it, plus a ignore scans set

I ignore a pretty big block of addresses that Roblox uses or Snort blocks them all when it sees a UDP scan

It's the 1990s Air-Snort application upgraded, anyone play with that in the 90s, I use to see 0.0.0.0 MACs sometimes back in the day.

DaddyGo

@bmeeks said in Do I Need IPS ?:

but there are a fair number of users that install it without fully understanding what it is and how to maintain it.

yes, this can be seen in many scenarios and when they fall flat on their face they realise what they have done wrong

+++edit:
at least they will have something to ask here on the forum

DaddyGo

@michmoor said in Do I Need IPS ?:

The solution would be to gatekeep this behind a VAR and high cost support packages :)

that would be quite terrible

coxhaus

@JonathanLee
Are you running it on the WAN or the LAN side?

I plan to run it. I am waiting for 23.09 first.

Do any of Pfsense's IPS/IDS use Intel's Hyperscan? Maybe that is the real SNORT 3?

https://www.intel.com/content/www/us/en/developer/articles/technical/introduction-to-hyperscan.html

JonathanLee

@coxhaus WAN it does take a while to configure this way. Most use Lan today

coxhaus

@JonathanLee
I used WAN years ago. Never used LAN.

DaddyGo

@coxhaus said in Do I Need IPS ?:

I used WAN years ago. Never used LAN.

I do have some problems with this though, pfS "drop" everything on the WAN by default and it's a noisy interface and look at this one Bill knows it best:

https://forum.netgate.com/topic/76141/snort-on-lan-wan/5?_=1695283899257