Intrusion Prevention System - Select all


It would be great to have a “select all” option available or did I miss it?


you do not want that. Selecting all rules is not a good idea, because that assumes that you are running all the services and all the clients that there are in the world. Including Windows 98.

You will need to carefully go through the rules and select what you need. Activating all will result in a large amount of false positives and a super slow IPS.

Makes sense, thank you!

If you would like to witness the carnage, you might try a little sed/awk on the rule files in /var/lib/suricata – removing all the ‘#’ from the front of rule entries that currently start with #drop and #alert.
Good luck with that

LOL, you guys have brilliant ideas :slight_smile:

1 Like

Activating ALL rules would be like the safest firewall on the planet




If you want to live dangerously, and you’re using one of the Talos rulesets, you could try editing /var/ipfire/suricata/oinkmaster-modify-sids.conf and changing ‘balanced-ips’ to ‘security-ips’ in two places. This will enable a lot of extra rules by default the next time there’s a rule update.


  • I haven’t tried this.
  • You will almost certainly end up breaking something.

There are a lot of rules that block applications or traffic flows that are OK in some circumstances but may not be in others. This includes software updates.

Also, as Michael says above, doing this will make IPFire work harder and may well slow down your internet access. You’re much better off going through the rules and enabling the relevant ones, stopping every so often to see if you’ve broken something.

Hi @timf, I tried the mod to oinkmaster-modify-sids.conf and ran update-ids-ruleset. I noticed no change to the number of rules enabled. Also after running update-ids-ruleset, the oinkmaster-modify-sids.conf was re-written with balanced policy as before. I then changed oinkmaster-modify-sids.conf to the security policy again, and I also changed balanced to security in ( at ln 767; my $policy = ‘balanced’; ). and ran update-ids-ruleset again. That did the trick – enabled another several thousand rules. So far, this has triggered a few alerts but is not yet irritating my user base (my spouse and myself) :cowboy_hat_face:

[Edit-1] Note: This is with Talos Subscribed Rules w/ all the files checked/enabled

[Edit-2] Note: IDS enabled on all interfaces – Red, Green and Blue

[Edit-3] Note: Have not noticed any/much system loading impact
Here’s the rule trigger carnage:

A few of these on Red:

Drop] [] [1:28557:3] PROTOCOL-DNS Malformed DNS query with HTTP content [] [Classification: Misc activity] [Priority: 3] {UDP}

A few of these on Green:

[Drop] [] [1:26286:6] APP-DETECT Absolute Software Computrace outbound connection - [] [Classification: Misc activity] [Priority: 3] {TCP}

[Edit-4] Perhaps I would see more rules triggered if I were not already dropping bad guys with your github/timfprogs/ipfblocklist: