Sat-Elite IPS utilizes Snort with Talos Signature Rulesets. Talos supports multiple inspection levels to control how aggressively the IPS operates when blocking traffic.
These levels balance security, visibility, and network stability.
Level 1 – Maximum Detection
Purpose
Visibility and research, not uptime.
Enabled Capabilities
-
Experimental rules
-
Policy violations
-
Informational signatures
-
Weak heuristics
Designed For
-
SOC labs
-
Threat research
-
Forensics
-
Honeypots
Production Use
-
Not recommended for inline production IPS
Trade-offs
-
Very noisy
-
Can break applications
False Positives
High
Level 2 – Security
Purpose
Catch advanced threats, accept some operational noise.
Enabled Capabilities
-
Suspicious behaviors
-
Heuristic-based detections
-
Broader client-side exploit rules
Commonly Flags
-
Scan activity
-
Unusual protocol usage
-
Obfuscated payloads
Operational Requirements
-
Rule tuning
-
Allow-lists
-
SOC review
Trade-offs
-
Applications may break without tuning
False Positives
Moderate
Level 3 – Balanced Protection (Recommended)
Purpose
Strong protection without breaking applications.
Capabilities
-
Blocks reliable exploit and malware traffic
-
Broader exploit detection
-
Protocol abuse detection
-
Clear reconnaissance patterns
Conservative On
-
Client-side attacks
-
High false-positive risk signatures
Trade-offs
-
Slightly higher inspection overhead
False Positives
Low
Level 4 – Connectivity
Purpose
Preserve connectivity, block only the most certain threats.
Capabilities
-
Known malware
-
Active exploit kits
-
C2 callbacks
-
High-confidence worms
Operational Focus
-
Minimal inspection overhead
-
Maximum stability
Ideal For
-
Mission-critical networks
-
OT / maritime / remote sites
-
New deployments
Trade-offs
-
Misses emerging or low-confidence threats
False Positives
Extremely rare
Level Comparison
|
Level |
Name |
Aggressiveness |
False Positive Risk |
Blocking Scope |
|---|---|---|---|---|
|
1 |
Maximum |
Very High |
Highest |
Known + Likely + Emerging |
|
2 |
Security |
High |
Moderate |
Known + Some Heuristic |
|
3 |
Balanced |
Medium |
Low |
Known, Validated |
|
4 |
Connectivity |
Very Low |
Minimal |
Critical Exploits Only |
Talos Blocking Strategy
Talos levels influence:
-
Enabled rule categories
-
Heuristic / behavioral blocking
-
Treatment of low-confidence signatures
-
Block vs detect thresholds
Talos levels do not:
-
Change rule severity
-
Override explicit allow/deny rules
-
Replace reputation-based blocking
Common Enterprise Deployment Pattern
|
Environment |
Recommended Level |
|---|---|
|
Perimeter / Internet Edge |
Level 2 or 3 |
|
Internal East-West Visibility |
Level 1 (Detect) |
|
OT / Retail / Guest Networks |
Level 4 |
|
MSP Multi-Tenant Default |
Level 3 |
Security Posture Mapping
Talos levels align with security posture controls:
|
Talos Level |
Posture Name |
|---|---|
|
Level 1 |
Maximum Detection |
|
Level 2 |
Strong |
|
Level 3 |
Balanced |
|
Level 4 |
Connectivity |
Snort Rule Categories (Talos-Maintained)
Common Talos Categories
-
malware-cnc
-
exploit-kit
-
browser-exploits
-
file-identify
-
file-office
-
file-pdf
-
file-java
-
sql-injection
-
web-application-attack
-
attempted-admin
-
attempted-user
-
privilege-escalation
-
network-scan
-
reconnaissance
-
policy-violation
-
protocol-command-decode
-
bad-traffic
-
dos
-
shellcode
-
trojan-activity
-
misc-attack
Note: Category inclusion may vary slightly by Snort version and subscription.
Level 1 – Maximum Detection (Most Aggressive)
Enabled for Blocking
-
malware-cnc
-
trojan-activity
-
exploit-kit
-
browser-exploits
-
shellcode
-
privilege-escalation
-
attempted-admin
-
attempted-user
-
web-application-attack
-
sql-injection
-
file-identify
-
file-office
-
file-pdf
-
file-java
-
network-scan
-
reconnaissance
-
protocol-command-decode
-
bad-traffic
-
dos
-
misc-attack
-
policy-violation
Characteristics
-
Heuristic and emerging rules enabled
-
Behavioral blocking
-
Highest false positives
Typical Use
-
SOC visibility
-
Detect-only zones
-
High-risk segments
Level 2 – Security
Enabled for Blocking
-
malware-cnc
-
trojan-activity
-
exploit-kit
-
browser-exploits
-
shellcode
-
privilege-escalation
-
attempted-admin
-
web-application-attack
-
sql-injection
-
file-identify
-
file-office
-
file-pdf
-
protocol-command-decode
-
bad-traffic
-
dos
Detect-Only / Reduced
-
network-scan
-
reconnaissance
-
misc-attack
-
policy-violation
Characteristics
-
High-confidence exploit blocking
-
Limited heuristics
-
Reduced noise vs Level 1
Level 3 – Balanced
Enabled for Blocking
-
malware-cnc
-
trojan-activity
-
exploit-kit
-
browser-exploits
-
shellcode
-
web-application-attack
-
sql-injection
-
file-identify
-
bad-traffic
-
dos
-
protocol-command-decode
Detect-Only
-
attempted-admin
-
attempted-user
-
privilege-escalation
-
file-office
-
file-pdf
-
network-scan
-
reconnaissance
Disabled
-
policy-violation
-
Most misc-attack
Characteristics
-
Only validated malicious traffic
-
Recommended production default
-
Very low false positives
Level 4 – Connectivity (Least Aggressive)
Enabled for Blocking
-
malware-cnc
-
exploit-kit
-
shellcode
-
bad-traffic (critical only)
-
dos (high confidence)
Detect-Only
-
browser-exploits
-
trojan-activity
-
web-application-attack
-
sql-injection
Disabled
-
file-*
-
attempted-*
-
privilege-escalation
-
network-scan
-
reconnaissance
-
policy-violation
-
Most protocol-command-decode
Characteristics
-
Near-zero false positives
-
Only blocks near-certain exploitation
-
Preserves fragile applications
Summary Matrix
Legend
-
✅ = Block
-
🔍 = Detect-only
-
❌ = Disabled
|
Category Type |
Level 1 |
Level 2 |
Level 3 |
Level 4 |
|---|---|---|---|---|
|
Malware / C2 |
✅ |
✅ |
✅ |
✅ |
|
Exploit Kits |
✅ |
✅ |
✅ |
✅ |
|
Browser Exploits |
✅ |
✅ |
✅ |
🔍 |
|
Web Attacks / SQLi |
✅ |
✅ |
✅ |
🔍 |
|
File Inspection |
✅ |
✅ |
🔍 |
❌ |
|
Priv Esc / Admin |
✅ |
✅ |
🔍 |
❌ |
|
Recon / Scans |
✅ |
🔍 |
🔍 |
❌ |
|
Policy Violations |
✅ |
🔍 |
❌ |
❌ |
References