Understanding Snort "Block Offenders" and "IPS Policy Selection" options



  • The "IPS Policy Selection" in the Snort " <iface>Categories" configuration has the following description:

    Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy. It is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity. Security is a stringent policy. It contains everything in the first two plus policy-type rules such as a Flash object in an Excel file.

    It's not clear to me how this relates to the "Block Offenders" option in " <iface>Settings".

    I assume that, if "Block Offenders" is not checked, then Snort works purely as IDS, so it won't block anything, regardless of how the "IPS Policy Selection" is configured. Is this correct?

    So, the "IPS Policy Selection" only determines what is identified as an intrusion. Whether this is blocked or not then depends on the "Block Offenders" status. Is this correct?

    Many thanks to anyone that can help clarifying this!

    P.S.: I also posted this on the pfsense subreddit, but it was for some reason removed.</iface></iface>