Guide: IPS Security Levels
KVH IPS utilizes Snort with Talos Signature Rulesets. Talos supports multiple inspection levels to control how aggressively the IPS operates when blocking traffic.
These levels balance security, visibility, and network stability.
Level 1 – Maximum Detection
Purpose
Visibility and research, not uptime.
Enabled Capabilities
Experimental rules
Policy violations
Informational signatures
Weak heuristics
Designed For
SOC labs
Threat research
Forensics
Honeypots
Production Use
Not recommended for inline production IPS
Trade-offs
Very noisy
Can break applications
False Positives
High
Level 2 – Security
Purpose
Catch advanced threats, accept some operational noise.
Enabled Capabilities
Suspicious behaviors
Heuristic-based detections
Broader client-side exploit rules
Commonly Flags
Scan activity
Unusual protocol usage
Obfuscated payloads
Operational Requirements
Rule tuning
Allow-lists
SOC review
Trade-offs
Applications may break without tuning
False Positives
Moderate
Level 3 – Balanced Protection (Recommended)
Purpose
Strong protection without breaking applications.
Capabilities
Blocks reliable exploit and malware traffic
Broader exploit detection
Protocol abuse detection
Clear reconnaissance patterns
Conservative On
Client-side attacks
High false-positive risk signatures
Trade-offs
Slightly higher inspection overhead
False Positives
Low
Level 4 – Connectivity
Purpose
Preserve connectivity, block only the most certain threats.
Capabilities
Known malware
Active exploit kits
C2 callbacks
High-confidence worms
Operational Focus
Minimal inspection overhead
Maximum stability
Ideal For
Mission-critical networks
OT / maritime / remote sites
New deployments
Trade-offs
Misses emerging or low-confidence threats
False Positives
Extremely rare
Level Comparison
Level | Name | Aggressiveness | False Positive Risk | Blocking Scope |
|---|---|---|---|---|
1 | Maximum | Very High | Highest | Known + Likely + Emerging |
2 | Security | High | Moderate | Known + Some Heuristic |
3 | Balanced | Medium | Low | Known, Validated |
4 | Connectivity | Very Low | Minimal | Critical Exploits Only |
Talos Blocking Strategy
Talos levels influence:
Enabled rule categories
Heuristic / behavioral blocking
Treatment of low-confidence signatures
Block vs detect thresholds
Talos levels do not:
Change rule severity
Override explicit allow/deny rules
Replace reputation-based blocking
Common Enterprise Deployment Pattern
Environment | Recommended Level |
|---|---|
Perimeter / Internet Edge | Level 2 or 3 |
Internal East-West Visibility | Level 1 (Detect) |
OT / Retail / Guest Networks | Level 4 |
MSP Multi-Tenant Default | Level 3 |
Security Posture Mapping
Talos levels align with security posture controls:
Talos Level | Posture Name |
|---|---|
Level 1 | Maximum Detection |
Level 2 | Strong |
Level 3 | Balanced |
Level 4 | Connectivity |
Snort Rule Categories (Talos-Maintained)
Common Talos Categories
malware-cnc
exploit-kit
browser-exploits
file-identify
file-office
file-pdf
file-java
sql-injection
web-application-attack
attempted-admin
attempted-user
privilege-escalation
network-scan
reconnaissance
policy-violation
protocol-command-decode
bad-traffic
dos
shellcode
trojan-activity
misc-attack
Note: Category inclusion may vary slightly by Snort version and subscription.
Level 1 – Maximum Detection (Most Aggressive)
Enabled for Blocking
malware-cnc
trojan-activity
exploit-kit
browser-exploits
shellcode
privilege-escalation
attempted-admin
attempted-user
web-application-attack
sql-injection
file-identify
file-office
file-pdf
file-java
network-scan
reconnaissance
protocol-command-decode
bad-traffic
dos
misc-attack
policy-violation
Characteristics
Heuristic and emerging rules enabled
Behavioral blocking
Highest false positives
Typical Use
SOC visibility
Detect-only zones
High-risk segments
Level 2 – Security
Enabled for Blocking
malware-cnc
trojan-activity
exploit-kit
browser-exploits
shellcode
privilege-escalation
attempted-admin
web-application-attack
sql-injection
file-identify
file-office
file-pdf
protocol-command-decode
bad-traffic
dos
Detect-Only / Reduced
network-scan
reconnaissance
misc-attack
policy-violation
Characteristics
High-confidence exploit blocking
Limited heuristics
Reduced noise vs Level 1
Level 3 – Balanced
Enabled for Blocking
malware-cnc
trojan-activity
exploit-kit
browser-exploits
shellcode
web-application-attack
sql-injection
file-identify
bad-traffic
dos
protocol-command-decode
Detect-Only
attempted-admin
attempted-user
privilege-escalation
file-office
file-pdf
network-scan
reconnaissance
Disabled
policy-violation
Most misc-attack
Characteristics
Only validated malicious traffic
Recommended production default
Very low false positives
Level 4 – Connectivity (Least Aggressive)
Enabled for Blocking
malware-cnc
exploit-kit
shellcode
bad-traffic (critical only)
dos (high confidence)
Detect-Only
browser-exploits
trojan-activity
web-application-attack
sql-injection
Disabled
file-*
attempted-*
privilege-escalation
network-scan
reconnaissance
policy-violation
Most protocol-command-decode
Characteristics
Near-zero false positives
Only blocks near-certain exploitation
Preserves fragile applications
Summary Matrix
Legend
✅ = Block
🔍 = Detect-only
❌ = Disabled
Category Type | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|
Malware / C2 | ✅ | ✅ | ✅ | ✅ |
Exploit Kits | ✅ | ✅ | ✅ | ✅ |
Browser Exploits | ✅ | ✅ | ✅ | 🔍 |
Web Attacks / SQLi | ✅ | ✅ | ✅ | 🔍 |
File Inspection | ✅ | ✅ | 🔍 | ❌ |
Priv Esc / Admin | ✅ | ✅ | 🔍 | ❌ |
Recon / Scans | ✅ | 🔍 | 🔍 | ❌ |
Policy Violations | ✅ | 🔍 | ❌ | ❌ |