suricata/doc/userguide/ips/ips-concept.rst

IPS Concept
===========

Intrusion Prevention System mode, or IPS mode, is the Suricata mode that makes it act as a
traffic filter.

By default it will allow all traffic, and will use ``drop`` or ``reject`` rules to block
unwanted traffic.

It is generally used ``inline``, where threat detection rules are used to drop known bad traffic.

The ``inline`` operations are either on layer 2 (bridge, for example using AF_PACKET or DPDK)
or on layer 3 (routing, for example in NFQueue or IPFW).


Differences from the passive IDS mode
-------------------------------------

TCP stream engine
^^^^^^^^^^^^^^^^^

Where in IDS mode TCP traffic is only inspected after the acknowledgement (ACK) for it has
been received, in IPS mode the default behavior is different: new data is inspected
immediately, together with previous data where possible.
The inspection happens in a sliding window. This behavior is controlled by the
``stream.inline`` setting.

In case of overlapping data, the first data Suricata receives is accepted. Follow-up data
that overlaps with this is then checked against the first data. If it is different, the
traffic on the wire is rewritten to match the first data.

The sliding window inspection can be visualized as such::

    Packet 1: [hdr][segment data 1     ]
    Segments: [segment data 1     ]
    Window:   [ inspection window ]

    Packet 2: [hdr][segment data 2]
    Segments: [segment data 1     ][segment data 2]
    Window:   [ inspection window                 ]

    Packet 3: [hdr][segment data 3]
    Segments: [segment data 1     ][segment data 2][segment data 3]
    Window:            [ inspection window                        ]

    Packet 4: [hdr][segment data 4]
    Segments: [segment data 2][segment data 3][segment data 4]
    Window:            [ inspection window                   ]

Each segment's data is inspected together with the other available data. One consequence
of this is that there can be significant rescanning of data, which has a performance impact.

http body inspection
^^^^^^^^^^^^^^^^^^^^

Similar to the sliding window approach in the TCP stream engine, the HTTP body
inspection will happen in a sliding manner by default. In IDS mode body data is
buffered to the configured settings before inspection.

::

    app-layer:
      protocols:
        http:
          libhtp:
             default-config:
               # auto will use http-body-inline mode in IPS mode, yes or no set it statically
               http-body-inline: auto


file.data
^^^^^^^^^

For HTTP, the ``file.data`` logic is the same as the body inspection above.

Exception Policies
------------------

By default, when IPS mode is enabled, the exception policies are set to block (``drop``).
This is to make sure rules cannot be bypassed due to Suricata reaching an error state in
parsing, reaching internal resource limits and other exception conditions.

See :ref:`Exception Policies documentation <exception policies>`.

Differences from Firewall Mode
------------------------------

The main difference is that unlike IPS mode, Firewall Mode has a default ``drop`` policy.
This means that a ruleset must be created to allow traffic to be accepted, instead of
accepting traffic by default and filtering out unwanted traffic.

See :ref:`Firewall Mode Design <firewall mode design>`.