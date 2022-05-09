There are parts of Suricata IPS/IDS that inspect packet content and block malicious IP's. I can how both of those are useful, but another part of Suricata IPS/IDS is addition of 2 filters ("src,src,dst" & "dst,dst,src") to IPTables INPUT and FORWARD. Based on Suricata documention (or my poor understanding of it), those 2 rules simply match sources and destinations. Shouldn't NAT do that on its own without any need for IPS/IDS?



Am I correct to understand that mailicous IP blocking and source/destination parts of IDS/IPS can function without DPI? On my network, DPI detects 99% of content as "Unknown" and the other 1% as "SSL/TLS" because almost everything is encrypted via VPN. I am not sure if IDS/IPS is even useful such a situation.