Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does anyone feel IDS/IPS is starting to become a waste of effort?

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 5 Posters 1.3k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • planedropP Offline
      planedrop
      last edited by

      This question has obviously been asked all over the place, but sometimes I like to get fresh opinions. I know there is a constant debate on this one, but as I've seen it, it feels like things are moving more and more towards it NOT being that useful.

      With how much traffic is encrypted now, and the generally very high false positive rate, a part of me thinks it might not be worth the effort of tuning anymore. While I do love to play around with it, as it's intriguing from a netsec standpoint, I really just am not sure even in an enterprise environment, if it's worth the time. To me, things like PFBlocker with a very strict setup might be a better option overall for security.

      Another thing is the performance required, even after solid tuning, is a bit insane on high throughput networks. I've been testing my Netgate 6100 on my home network just for fun, I have a roughly 1.4 gigabit connection, with Suricata enabled and tuned pretty well I was seeing 96% CPU usage and speeds were closer to 1.1 gigabits vs having it disabled. Really is an insane amount of resource usage IMO, and while I expected this it's just always interesting to test it. For reference without Suricata enabled the 1.4 gigabit puts CPU usage into the 20-30% mark, and I've easily been able to push 10 gig through this firewall without pegging the CPU.

      Of course many environments don't need speeds beyond gigabit, but in the even you do it's a bit of a challenge to get it done.

      Does anyone else feel the same way? Are you still configuring Suricata/Snort in your environments or are you just leaving it off?

      P.S. yes this was a copy paste from a reddit post which I also created. Tend to get better results here but draft things there.

      S keyserK 2 Replies Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @planedrop
        last edited by

        @planedrop BMeeks has in fact mentioned this several times in the IDS forum. It's another layer. It does seem a bit more useful for inbound connections...web, email, etc., although those are also often encrypted. Rule category choice can affect it, e.g. no need for the web server rules if one doesn't have a web server. I have Snort running at home but it only flags a couple things a day.

        For our clients we have IDS, antivirus/antimalware on PCs, Quad9 DNS, pfBlocker, and/or other layers.

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote ๐Ÿ‘ helpful posts!

        planedropP 1 Reply Last reply Reply Quote 1
        • keyserK Offline
          keyser Rebel Alliance @planedrop
          last edited by

          @planedrop Yeah, I have the same sentiment and have decided to leave suricata out of my next firewall config (Iโ€™m doing a ZFS reinstall on my SG-6100) once 22.01 goes release.

          Love the no fuss of using the official appliances :-)

          planedropP 1 Reply Last reply Reply Quote 1
          • planedropP Offline
            planedrop @SteveITS
            last edited by

            @steveits said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

            @planedrop BMeeks has in fact mentioned this several times in the IDS forum. It's another layer. It does seem a bit more useful for inbound connections...web, email, etc., although those are also often encrypted. Rule category choice can affect it, e.g. no need for the web server rules if one doesn't have a web server. I have Snort running at home but it only flags a couple things a day.

            For our clients we have IDS, antivirus/antimalware on PCs, Quad9 DNS, pfBlocker, and/or other layers.

            Makes sense, it for sure is another layer, I just wonder if it's not that useful of one. I personally haven't seen anything legit blocked by it, it's all been false positives in my testing. Of course my testing has been in a home environment, bit less likely for a sophisticated attack.

            I think the big question that hits my head is, how often would something like IDS actually stop something that DNS/IP blocking and other layers wouldn't, if it's extremely low to none then maybe it's not worth it.

            Appreciate the input here!

            1 Reply Last reply Reply Quote 0
            • planedropP Offline
              planedrop @keyser
              last edited by

              @keyser said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

              @planedrop Yeah, I have the same sentiment and have decided to leave suricata out of my next firewall config (Iโ€™m doing a ZFS reinstall on my SG-6100) once 22.01 goes release.

              Makes sense, I'm leaning this way too. I manage a lot of PFSense firewalls, including for a pretty critical facility, but I've never once seen their suricata installs actually catch something, and way back when we weren't using PFSense, I never saw other firewall's IDS systems catch anything either.

              Security is of course layers, so it's important to factor that in. But in all reality I think if IDS would have stopped something, but your other layers would have missed it, then maybe you need to reconsider your other layers effectiveness.

              It's always a balance too, and my personal conclusion is starting to come back to the downsides being worse than the upsides for this subject. For me though the downside could be bigger than in a work environment, since it's very common for me to pull that full 1.4 gigabit on my WAN, so slowing that down would be a constant annoyance.

              S NollipfSenseN 2 Replies Last reply Reply Quote 0
              • S Offline
                SteveITS Rebel Alliance @planedrop
                last edited by

                @planedrop said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

                I've never once seen their suricata installs actually catch something

                In our data center (client web hosting, etc.) we get an alert every minute or so. :)

                At 1.4 Gbit do you get that on most sites? The web server and everything in in between would have to allow for that...

                Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                Upvote ๐Ÿ‘ helpful posts!

                planedropP 1 Reply Last reply Reply Quote 1
                • planedropP Offline
                  planedrop @SteveITS
                  last edited by

                  @steveits said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

                  @planedrop said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

                  I've never once seen their suricata installs actually catch something

                  In our data center (client web hosting, etc.) we get an alert every minute or so. :)

                  At 1.4 Gbit do you get that on most sites? The web server and everything in in between would have to allow for that...

                  Interesting data to have for sure. Are those alerts seemingly legit? Do you think they'd be blocked by something else anyway?

                  I use the full bandwidth frequently for downloading large files, games, torrents, etc... Def not needed for general browsing but there are times when someone wants to play a game (this is just one example) that I don't have installed and having to wait longer for that would just be a nuisance when I'm paying for more bandwidth.

                  S 1 Reply Last reply Reply Quote 0
                  • S Offline
                    SteveITS Rebel Alliance @planedrop
                    last edited by

                    @planedrop said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

                    Are those alerts seemingly legit? Do you think they'd be blocked by something else anyway?

                    Most are. Occasionally a client will block themselves by entering an email password wrong several times, or a rule update is bad. People just scan the Internet for open ports so they will try to connect to anything and everything.

                    We do have other layers, e.g. fail2ban runs on the servers as well.

                    Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    1 Reply Last reply Reply Quote 1
                    • NollipfSenseN Offline
                      NollipfSense @planedrop
                      last edited by NollipfSense

                      @planedrop said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

                      But in all reality I think if IDS would have stopped something,

                      IDS was never meant to stop anything, just detect. The stopping power is the firewall. Maybe DPDK will come up with a way to unencrypt and look...who knows...the future for sure for IDS?IPS is to do that. The IPS part isn't to block anything per say, but more to put an IP in timeout and on has three chances of a timeout before the IP is permanently placed on the firewall blocklist...this is how I interrupt it...maybe I have it incorrectly.

                      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB Offline
                        bmeeks
                        last edited by

                        End-to-end encryption is most definitely diminishing the importance of IDS/IPS. And encrypted payloads can be the source of many false positives. The random encrypted data will occasionally match up with the tested bytes in a rule.

                        There is also the issue of some admins misunderstanding the intent of some rules. For example, there are categories in both Snort and Suricata where the rules are designed to simply detect malformed network traffic. Not all malformed traffic is nefarious. It may just be the result of bad or inexperienced programming on the part of a developer. Some is the result of asymmetrical routing. So rules that detect this type of traffic are really for "information" purposes and do not necessarily belong in the block or drop action list. They usually should be left at ALERT and not elevated to DROP (or block if using Legacy Mode).

                        False positives are the biggest pain with an IDS/IPS. Tracking those down can take a lot of work.

                        In the old days, IDS/IPS was extremely useful. This was especially true when it could peer into the packet payloads. Also, back then, raw traffic rates were typically lower (granted so was CPU horsepower, but you still generally had more CPU power than Internet bandwidth back then). But now looking into payloads is usually not possible unless you use MITM. And 10G Internet traffic can cause even a powerful CPU to sweat bullets when trying to inspect that traffic against several thousand IDS rules.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.