Better IDS or a deny rule in firewall?

[bazbaz]

Hi,
I'm using Suricata to block "bad" IPs from public lists, for example "ET open/dshield" or "ET open/compromised".

I don't know if it will be better to create an alias in firewall, and a deny rule, instead of using IDS/Suricata.

I know that IDS is more expensive, but it works only after firewall filter on open ports only (it is enabled on internal interface). And I don't know how firewall works with very large alias lists as these. I don't know internals, and so I cannot understand the best way to block IPs in these lists with less resources.

Any suggestion based on internal of opnsense?
thanks

[Monviech (Cedrik)]

I've seen Crowdsec recently, it can create dynamic block lists for the firewall filter.

It also integrates with suricata in addition:
https://www.crowdsec.net/blog/suricata-vs-crowdsec

[OrwellianDenigrate]

I have been trying to get the IDS to generate the block list, to avoid having to "manually" maintain the firewall rules.

I couldn't figure out how to do it only using Suricata, and Crowdsec with default settings only blocks Suricata severity class 1 events. It doesn't seem like there is any way to use the web UI to change the metadata of Suricata rules, policies only allow you to change the action.

I ended up modifying the Crowdsec parser to filter out all events that have been dropped by Suricata, and I modified the Crowdsec scenario to ban any Suricata event regardless of the severity.

How I can use the Suricata policies to just drop anything from the compromised and attack categories, and every time the IPs are detected by the IDS they are automatically added to the firewall block list for 7 days.