Your firewall logs look clean. Your endpoints pass their compliance checks. And somewhere on your network, an attacker has been quietly exfiltrating data for eleven days. This is the exact gap that Intrusion Detection and Prevention Systems are designed to close—but only when they're deployed with intention, tuned with discipline, and integrated into a broader security operations workflow.
What IDS/IPS Actually Does (and Doesn't Do)
An Intrusion Detection System (IDS) monitors network traffic or host activity and generates alerts when it identifies suspicious patterns. An Intrusion Prevention System (IPS) does the same—but sits inline and can actively block malicious traffic before it reaches its target.
The critical distinction matters architecturally. An IDS fails open (traffic still flows if the sensor dies), while an inline IPS fails closed unless you configure bypass. Neither replaces a firewall, SIEM, or endpoint detection platform. They occupy a specific niche: deep packet inspection and signature/behavioral analysis at wire speed.
Choosing Between Snort and Suricata
For most enterprise Linux environments, the decision comes down to Snort 3 and Suricata. Both are open-source, production-grade, and support the same rule syntax. The practical differences matter:
- Suricata is multi-threaded natively, making it better suited for high-throughput environments (10Gbps+).
- Snort 3 has been rewritten with a modular architecture and improved Lua scripting support.
- Suricata has built-in protocol logging (EVE JSON), which integrates seamlessly with Elasticsearch and your SIEM.
For a new deployment, I generally recommend Suricata for its threading model and JSON-native logging.
Deploying Suricata in IDS Mode: A Practical Example
Install Suricata on an Ubuntu 22.04 sensor:
sudo apt install suricata suricata-update -y
sudo suricata-update
sudo suricata-update list-sources
sudo suricata-update enable-source et/openConfigure your network variables in /etc/suricata/suricata.yaml:
vars:
address-groups:
HOME_NET: '[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]'
EXTERNAL_NET: '!$HOME_NET'Start Suricata on your monitoring interface:
sudo suricata -c /etc/suricata/suricata.yaml -i eth1 --init-errors-fatalVerify it's generating EVE JSON logs:
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'This gives you a functional IDS sensor in under fifteen minutes. The real work starts now.
Tuning: Where Most Deployments Fail
Out-of-the-box rule sets like Emerging Threats Open contain tens of thousands of signatures. Enabling all of them guarantees alert fatigue. A disciplined tuning process looks like this:
- Run in IDS mode for 7–14 days before enabling any blocking.
- Suppress known false positives using threshold and suppress directives:
# /etc/suricata/threshold.config
suppress gen_id 1, sig_id 2210044, track by_src, ip 10.0.5.20- Disable entire rule categories that don't apply to your environment (e.g., disable policy rules for protocols you don't use).
- Prioritize high-fidelity rules: malware command-and-control callbacks, exploit kit signatures, and lateral movement indicators.
Inline IPS: When to Pull the Trigger
Move to IPS mode only after you've validated your tuning in a passive deployment. On Linux, Suricata supports NFQ (Netfilter Queue) mode for inline operation:
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
sudo suricata -c /etc/suricata/suricata.yaml -q 0Set rule actions to drop instead of alert selectively. Never bulk-convert all alerts to drops—this is how you cause a production outage on a Tuesday morning.
Integration and Operational Maturity
A standalone IDS/IPS generates alerts. An integrated one generates outcomes. Ship EVE JSON logs to your SIEM (Elastic Security, Splunk, or Wazuh), correlate IDS alerts with firewall logs and endpoint telemetry, and build runbooks for your top ten alert categories.
The goal isn't zero alerts. It's every alert triggers a defined response.
IDS/IPS remains one of the highest-value, lowest-cost security controls available—but only when it's treated as a living system that demands ongoing tuning, testing, and operational integration.
Have questions about intrusion prevention and detection systems? I'm always happy to talk shop — reach out or connect with me on LinkedIn.