In the IPS area I have activated the Emergingthreads Community Ruleset and the Abuse.ch SSLBL Blacklist Rules.
Digging deeper and looking into the IPS rulesets I realize there are rulesets like emerging-3coresec.rules and sslbl_blacklist-ruleset.rules.
Questions: how would I make best use of this? Are these features overlapping / redundant or are they additions to one another? If I activate all of the above, would that simply mean that IPFire would do unnecessary double work? Can / should I omit some of it (e.g. deactivate the 3coresec IPS ruleset if I activate the 3coresec blocklists)? Is there a performance gain or other advantage in using a blocklist instead of a IPS rule?
Hi Dirk. You made an excellent observation. Yes the 3Core and ET emerging lists are overlapping.
I am not familiar with the newest core updates but in the recent past the more security layers you had the better
Using IPfire blocklist vs Suricata would perform faster, because IP blocklist used less resources and the firewall combined with IPblocklist were preferred line of defense before Suricata.
One more advantage that I appreciate is that you have more control about the update frequency with IPFire blocklists.
I think the Emerging Suricata rules that you mentioned are only updated once a day, not including legal holidays, so I have observed for 4 days without updates.
So I decided to include 3Coresec, and Abuse as separate IP blocklist and updates as frequently as needed, I think with Abuse.ch you could take advantage of their 5 minutes update interval if you see the need. 3Coresec doesn’t mention update frequency but my update limit is 30 minutes and can confirmed from logs that 3coresec updates the ALL list 4 times a day including on weekends. So that would be around 28 updates per week compared to Emerging only updating 5 times or less per week.
Let me know your thoughts, I would like to know how your security layers work.