Detecting and preventing threats Introduction To provide security in a network you can deploy IDS or IPS systems. The difference is on the second letter, D stands for detection and P for prevention. First you start a system in IDS mode and only then you configure it to become IPS system. Enabling Suricata in IPS mode from the start could be confusing. It is advisable to see what’s going on first on a network to be sure not to generate too many false-positive alerts and blocks. Why IDS/IPS? You may ask why do I need intrusion detection or prevention system.
I want to enable only particular rules categories. Do not want to have all these internal Suricate rules as they cover too broad variaty of cases including loads of false-positive. If one would like to go for deep traffic analysis then they would be fine, but in case you see “STUN Binding Request On Non-Standard High Port” and know that is your P2P camera in the LAN then it’s worth disabling all of that things at once. To disable them it is a little bit tricky on pfSense installation. Go to Interfaces and selected desired one. Be sure to uncheck