Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which system am I running? NIDS or NIPS

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      battles
      last edited by

      I read that Snort can run as an NIDS (network intrusion detection system) or run as an NIPS (network intrusion prevention system).  I am not clear about this.  Can Snort run both at the same time?  How do I determine which system I am running?

      pfSense 2.3.4-RELEASE-p1 (i386)
      FreeBSD 10.3-RELEASE-p19
      pfBlockerNG 2.1.2_1
      Snort Security 3.2.9.5_3
      Intel(R) Atom(TM) CPU N270 @ 1.60GHz

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        On pfSense the distinction between IDS and IPS with Snort is a little fuzzy.  By default the Snort package will run in IDS mode.  You can enable blocking (a kind of IPS mode) on a per-configured-interface basis.  Edit the settings for a Snort interface and you will see an option to "Block Offenders".  When enabled, this turns on an optional output plugin compiled into the Snort binary on pfSense.  This output plugin interfaces with the pf firewall engine to insert "block" rules up near the very top of the pf rule chain (so they will block early in packet traversal).  For each IP address that triggers a Snort alert, the IP address will be added to a pf table called snort2c.  Putting the IP address in that table then results in further packets from that IP being blocked.

        So it's not a true IPS where the packets are simply dropped and never make it through.  Instead, Snort uses libcap to get copies of all the packets traversing the interface.  Once it sees enough packets to generate an alert, it pokes the offending IP address into that snort2c pf table and further packets are then blocked (existing states are also killed).  How many packets "leak" before the alert and block is generated depends on the specific exploit.  Some things block on a single packet, other stuff may need dozens of packets to see the complete "bad guy" pattern.

        The Suricata package, on the other hand, was recently updated to include a true inline IPS mode using Netmap.  Suricata on pfSense can be a true inline IPS.  This is a new feature, though, and some rough spots are still being worked through.  I recently posted an update to the 3.1.1 version of Suricata that is available for testing for folks running either the 2.3.3 pfSense snapshot or the 2.4 one.  Once the new binary looks to be stable, it will be added to the production package server.

        Bill

        1 Reply Last reply Reply Quote 0
        • B
          battles
          last edited by

          Thanks.  I would really like to install/run Suricata, but since their main support (as I have heard) is the U.S. government, I can't bring myself to trust it.  There is too much of a chance that the government will attempt to strong arm Suricata into installing back doors.

          pfSense 2.3.4-RELEASE-p1 (i386)
          FreeBSD 10.3-RELEASE-p19
          pfBlockerNG 2.1.2_1
          Snort Security 3.2.9.5_3
          Intel(R) Atom(TM) CPU N270 @ 1.60GHz

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.