Hello!
I'm in the process of setting up intrusion protection with Suricata and I am a bit confused after looking at the options and reading the documentation.
What does the "IPS Mode" setting exactly do? I see that it says it blocks traffic. What kind of traffic? Does it block all my rules, even the ones that I have set to alert only?
I want to be able to pick and choose which rules should be blocked, which rules should log alerts and allow, and which rules should be ignored. Does IPS mode need to be enabled to do this?
IDS = intrusion detection system
IPS = intrusion protection system
IDS alerts you about bad traffic and IPS blocks it. The choice is global - i.e. you can't block on some rules and alert on others.
Bart...
Ok.... I found out that without IPS enabled, my rules will just alert me (Even if they are labeled as block). So it appears that IPS does need to be enabled to block traffic. I am then able to pick and choose which rules will just alert and allow traffic and which rules should alert and drop traffic.