I ran into my first issue with the functionality of the IPS system.
After enabling the Emerging-INFO rules (Emerging threats. Community ruleset) I suddenly could not reach the https://covid19.healthdata.org/projections webpage. I figured that the server was overloaded but only after realizing that my cellphone was able to access the site over its data plan did I check the logs to find that the firewall was blocking access. A few clicks later to turn off rules the problem was solved.
My main concern is that the firewall was not letting me know that it was blocking access. When the URL filter blocks it lets you know and gives you a reason. The IPS system should do the same. You should not have to search a log to find out that the firewall is blocking a request that comes from inside the firewall.
I’m sorry, as far as i know, IPS do not do like you would. It’s not design to do that.
It’s not content filtering.
Anyway, for IPS/IDS and related rules, don’t forget to check the logs after enabling any of them.
Navigating through the rules is not easy with the information I have been able to find. I have never seen that the Emerging-INFO rules are not intended for IPS use.
My main frustration was the fact that the only way I was able to see the block occurring was by logging into the firewall and looking at the IPS log which worked well.
Now I will see if I can simply un-click the -INFO rule set or have to un-click each individual rule as as been discussed
-INFO contains rules to detect the type of traffic. If you want block a specific type you can use it also for blocking but enabling the whole rulegroup is not good.
There are more sets of this type like -POLICY or -USER-AGENTS that can used to block some specific software, filetypes or networks. Enable this may also do too much overblocking.