ContextQMD
Back to Suricata

IPS Concept

doc/userguide/ips/ips-concept.rst

latest3.2 KB
Original Source

IPS Concept

Intrusion Prevention System mode, or IPS mode, is the Suricata mode that makes it act as a traffic filter.

By default it will allow all traffic, and will use drop or reject rules to block unwanted traffic.

It is generally used inline, where threat detection rules are used to drop known bad traffic.

The inline operations are either on layer 2 (bridge, for example using AF_PACKET or DPDK) or on layer 3 (routing, for example in NFQueue or IPFW).

Differences from the passive IDS mode

TCP stream engine ^^^^^^^^^^^^^^^^^

Where in IDS mode TCP traffic is only inspected after the acknowledgement (ACK) for it has been received, in IPS mode the default behavior is different: new data is inspected immediately, together with previous data where possible. The inspection happens in a sliding window. This behavior is controlled by the stream.inline setting.

In case of overlapping data, the first data Suricata receives is accepted. Follow-up data that overlaps with this is then checked against the first data. If it is different, the traffic on the wire is rewritten to match the first data.

The sliding window inspection can be visualized as such::

Packet 1: [hdr][segment data 1     ]
Segments: [segment data 1     ]
Window:   [ inspection window ]

Packet 2: [hdr][segment data 2]
Segments: [segment data 1     ][segment data 2]
Window:   [ inspection window                 ]

Packet 3: [hdr][segment data 3]
Segments: [segment data 1     ][segment data 2][segment data 3]
Window:            [ inspection window                        ]

Packet 4: [hdr][segment data 4]
Segments: [segment data 2][segment data 3][segment data 4]
Window:            [ inspection window                   ]

Each segment's data is inspected together with the other available data. One consequence of this is that there can be significant rescanning of data, which has a performance impact.

http body inspection ^^^^^^^^^^^^^^^^^^^^

Similar to the sliding window approach in the TCP stream engine, the HTTP body inspection will happen in a sliding manner by default. In IDS mode body data is buffered to the configured settings before inspection.

::

app-layer:
  protocols:
    http:
      libhtp:
         default-config:
           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
           http-body-inline: auto

file.data ^^^^^^^^^

For HTTP, the file.data logic is the same as the body inspection above.

Exception Policies

By default, when IPS mode is enabled, the exception policies are set to block (drop). This is to make sure rules cannot be bypassed due to Suricata reaching an error state in parsing, reaching internal resource limits and other exception conditions.

See :ref:Exception Policies documentation <exception policies>.

Differences from Firewall Mode

The main difference is that unlike IPS mode, Firewall Mode has a default drop policy. This means that a ruleset must be created to allow traffic to be accepted, instead of accepting traffic by default and filtering out unwanted traffic.

See :ref:Firewall Mode Design <firewall mode design>.