Ubiquiti is using suricata as their ids/ips engine.
Whether it is worth using on the gateway - in my opinion, no. The CPU on the USG3 and USG Pro gateways is way underpowered for any serious traffic/ruleset; and paying for UniFi XG just for the IPS is silly.
I’d separate routing and security and if IPS is needed — setup another solution. That’s what I did: i run Sophos on a separate bit or hardware in L2 mode behind the gateway. So for me UniFi provides connectivity and routing and Sophos provides security/web filtering, intrusion detection, all that stuff.
It depends on the appliance. An 'appliance' is kind of just a marketing term that implies the device is an all-in-one solution for a particular set of needs that includes hardware and appropriate software to meet the requirements. Firewall appliance usually meas the device is capable of routing and filtering traffic with very fine-grained controls. A lot of the devices have the option for doing 'network intrusion detection' and this usually involves installing addon software packages/apps.
Examples of network-based intrusion detection systems include:
You can take a look at those to get an idea of what makes a NIDS. :)
I used to see ArcSight wanted a lot in local adverts. Unfortunately no free trials exist. Need to reach out to HPE reseller, sigh.
As others said, Snort and Bro (included with security onion distro) are free, along with https://suricata-ids.org/.
Ultimately, you're learning SIEM logging, and implementing IPS. Im sure the firewall vendors have stuff they want to promote.
Suggest you start with basic firewalls, and centralised logging. You're halfway there now.
nb. i am not an expert =)
Assuming it is a malicious device you might stick an IDS of your own inline, and see if it flags on anything in particular.
You can get a 100% free one with all the rules over at https://suricata-ids.org/ Looks like there are several how to videos over on youtube.
I haven't used it, but my understanding is it was a SNORT competitor, then SNORT started to charge for the rules and the DoD started funneling money into Suricata to get it up to where it needed to be.
Stick it in before the traffic gets NATed, just make sure you have good DHCP logs and can track the IP that triggers issues back to a MAC address.
The closest thing to what you're describing is a Network Intrusion Detection Systems (NIDS) there are a lot of platforms out there to do it, they're largely signature based, and you receive a hell of a lot of false positives, probably more than any other detection method.
In the open-source space Snort is the biggest name, Suricata is also well known, and unlike Snort it's multi-threaded. If you get serious about implementing one, check out SecurityOnion it's a customized Ubuntu distro that bundles your choice of Snort/Suricata with Bro, OSSEC (a HIDS platform), and a number of other applications. Be aware going in to it that the initial setup takes a LOT of tuning, and even after the initial setup it needs to be actively monitored/tuned, something that is abnormal in one environment, or even for one server, is completely normal in another so the base signatures need to be highly customized.
There is no magic bullet for security, proper security should be layered.
If the IDS/IPS is what interests you, then be forewarned that the UDMs use a very old version of Suricata. The most recent beta runs v4.1.8 and the oldest stable version according to the suricata website is v4.1.9 (newest is v6.0.0). See https://suricata-ids.org for more info.
If you want a firewall that has up-to-date Suricata, then PFSense/OpenSense is probably a better choice.
Ubiquiti very likely uses Emerging Threats (ET) and DShield since both publish free lists (and it also aligns with the text in alerts).
https://doc.emergingthreats.net/
As birdie stated, Ubiquiti uses Suricata as the IDS/IPS engine.
It's not a priority for me - as I said in my post priority for me was throughput, stability, latency. Thats why I have IDS/IPS off.
I also realise that the IDS/IPS is supplied by suricata-ids.org but there's no real explanation over there how it's working either.
No IDS is 'nice' or 'simple', but BroIDS (now Zeek) and Snort or Suricata are free.
https://www.zeek.org/
https://www.snort.org/
https://suricata-ids.org/
There are also distributions that wrap it all up and try to make it nice and simple (but fail) - however I don't think a Pi would run any of them, they tend to be resource hogs.
According to the package manager it is. Suricata is listed as current with 4.1.2_3. I do see that 4.1.3 is listed on the Suricata webpage. System also reports to be on the latest version, 2.4.4-RELEASE-p2
I don't believe you are a lawyer anywherefrom the lack of intelligence in your response. I'm calling you on the bluff.
As I said revoke whatever the hell you want anytime. But it's not retroactive. GPL is both a license and a contract. I can bloody well read. https://suricata-ids.org/about/suricata-gpl-faq/
Depends on how much you're willing to work for it, I guess.
If you want good bang for the back, www.pfsense.org/products and then install the Suricata https://suricata-ids.org/ plugin. With pfSense, since you're basically just paying for the hardware (more or less), you can buy two and just cluster them and get a HA pair for less than you'd pay for one UTM firewall with licensing fees and whatnot.
This is total overkill, for $2 grand. https://www.netgate.com/solutions/pfsense/xg-7100-1u-dual.html
But the packaged solutions are no doubt slicker.
you can block it via running something like Suricata (https://suricata-ids.org/) with the Emerging Threats P2P ruleset (http://rules.emergingthreats.net/open/suricata/rules/emerging-p2p.rules) on your endpoints without spying on traffic.