Please excuse my cluelessness, this whole Q-Feeds thing slipped past me.
If you can have only one, would it be Q-Feeds, Suricata with feeds, Crowdsec with feeds, or Zenarmor. Probably all of these would be the free tier. I want to put something on my lab, and test this for possible use in production. I have Suricata and Zenarmor running in production, though I never really see any hits on Suricata these days (might not be set up correctly).
Can someone clue me in, I did print the integration document that I'll read later, but help would be welcome. Goal is to block threats that come in from users on the web, and block anything trying to get out that my virus scanner didn't catch.
That purely depends for what are you aiming,
ZA & Suricata are IPSes, ZA is more of a L7 FW.
Q-feeds & Crowdsec are block rulesets so L3 packet filter.
In brief:
ZA & Suricata Benefits
Higher layer inspection.
In case of ZA top notch Reporting capaple of drilling and troubleshooting.
If you want to inspect and block traffic based on vectors than Suricata & ZA are for you
ZA & Suricata Negatives
Huge performance hit.
I am not sure how Suricata performs now, but in case of ZA you will be capped at single core performance.
Q-feeds & Crowdsec Benefits
NO performance hit.
Simple deployment, Q-feeds for example provide just set of malicious IPs and Domains that can be used on any rule in any way you want.
Q-feeds & Crowdsec Negatives
Simple L3 packet filter, do not expect anything fancy.
Manual implementation.
If I would choose one, I would go with Q-feeds + extra community based blocklists such as Spamhause etc. (I have this now as well + ZA). No performance hit a good pool of malicious IPs that can be blocked out by a Rule or a Policy.
One note to point out, Q-feeds maybe doesn't have in device build reporting, expect the one that pools from logs. But their web TIP is extremely good and detailed. I pay for the Plus sub, and the features it gives are worth it.
Regards,
S.