Fontys S7

Developing and tuning an IDS

I've been running an IDS/IPS in my DMZ for a while now to block the constant barrage of attacks that come with running public facing services.

Running an IDS is pretty simple and straight forward, but running it in IPS mode that's where the challenges come in. Constantly fine-tuning the rules is necessary to avoid blocking yourself or one of your services.

Because a lot of services are running behind two reverse proxies, and I have a service that keeps track of my service's uptime by pinging them. I had the problem that my reverse proxy and uptime server were getting blocked a lot. Now since those servers are mine I trust them, so I created a trusted IP list, so they wouldn't get blocked anymore.

I've been running the default snort and emerging threat rules and fine-tuned them from there. This has proved to work for me and my use cases.

Judging on the amount of blocked IPs on a fairly quiet day I think it works great. Even though it probably won't block every attack those that are blocked are one less thing to worry about. I've configured my block list to be cleared every 8 hours so that in some weird case I do block myself, and I'm on a remote location for multiple days I do get unblocked after 8 hours.