IPS Rulesets suggestions

What IPS Rulesets are you guys using?

I am still new to IPfire and I have read the Wiki

So I have been using ET Community Ruleset I also tried Tallos Free.

I want to install IPfire for a small office (medical office) and want to keep it as simple as possible because everyone working there is over 60 y old. They haven’t had a Firewall or IPS in 40 years, just a consumer router .
They are ready to retire but right now they still need to get IPS to comply with something called HIPAA,

I will propose IPFire Firewall. but not sure what Ruleset to propose.

I am having difficulty even to find out exact pricing.
ET Pro was bought by Proofpoint and seems to be around 900-1000 per year, I am not sure if I could justify the cost.

Talso VRT was bought by Cisco and is 30/year for home use and 400 for commercial,

I was not able to figure out difference between ET Pro for 1000 and Talos VRT for 400

I also can;t figure out the difference between ET Community, Talos Community and Tallos Free for Registered Users.

Interesting observation about RAM usage:
ET Comminity : 350-480MB
Talos VRT Registered Free 50-60MB only

I appreciate any comments and suggestions


What IPS Rulesets are you guys using?

personally, I am happy with the ET Community Ruleset as it requires no registration anywhere and the rules are good enough for a larger SOHO setup with some modifications (enabled some scanner rules disabled by default, and disabled some others generating FPs in my setup).

I guess it might be reasonable to start with a free IPS ruleset, and see how things go from there. In case traffic is limited by a strict firewall policy anyway (please refer to this article for further information), attack surface is already pretty limited - most relevant threat would be attacks against web browsers, or similar.

While I run some IPS setups in professional environments, I rarely came across the need to buy IPS rulesets - in most cases, free ones were fine, but your mileage might vary. :slight_smile:

Thanks, and best regards,
Peter Müller

P.S.: Indeed, the pricing model of Proofpoint is difficult to understand - good luck searching further. :wink:

1 Like

Thank you Peter, I will work on you suggestions and report back.
Just one more thing:
What is " others generating FPs in my setup"?

EDIT: Never mind FPs = False Positives :innocent:

Hi! I think I need some help with choosing rulesets under community-community.rules and emerging-3coresec.rules. This is for my home network, so we play games, surf and so on. I also have a FTPS server that is reachable from Internet. Mostly I worry about ransomware attacks, maybe the rules can help a little against and also after so systems cant call out to the ransomware networks. For me the many choices are overwhelming. Here are 382 pages with the rules I use now (it was a few years ago I chose them, and I have not changed since then):
ipfire.localdomain - Intrusion Prevention System-1-191.pdf (2.9 MB)
ipfire.localdomain - Intrusion Prevention System-192-382.pdf (2.9 MB)

What rules do you use?

To help with preventing malware calling home also make sure that you have the

Firewall options for RED interface
Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)

option turned on in the Firewall Options menu. You will need to reboot after changing the value if it is not turned on.

In Core Update 184 you will also be able to turn on or off the logging for DROP_HOSTILE incoming or outgoing independently.

In terms of the rulesets you have specified I can’t help you with as I don’t use the Snort Community ruleset so the community-community.rules are not present.
I have the Emerging Threats and the Abuse.ch rulesets selected but I don’t have the emerging-3coresec.rules checked.

The emerging-3coresec.rules list covers Reputation IP’s. You might be better off selecting the Reputation blocklists in the IP Blocklist menu option. That IP Blocklist gets used early on in the traffic flow into IPFire so it uses much less resource from IPFire than getting the IPS to block IP’s.