Why does the intrusion prevention system show identical rules?

i setup my oinkcode and ive been looking through the options on ipfire intrusion prevention settings. i was wondering about all these identical rules

  • is it ok to select identical ruels?
  • what does it mean when the listed rules are identical?
  • is it more secure to have all of an identical rule selected in the intrusion prevention system?

i realize it might take up more resources on my ip fire installation to have more rules checked but im not worried
my setup is a static IP provided by Shaw Business with the dns set to google’s dns,
connected to ipfire core 141 (updated from 139)
running on a HP Z400 workstation enhanced with a industrial intel dual gigabit lan card (red), an intel turbo memory booster x2 realtek gigabit lan cards, 16 GB of high speed ram
connected to a 5g TPlink wireless router.
my IPS only uses about 500MB of ram and i cant even see how much CPU time its using

If you take a look at the rules in /var/lib/suricata you will see that the identical rules are not actually identical. Perhaps these are related multiple checks required to detect the intrusion event

1 Like