Contact Support
Can't find what you're looking for? Our support team is here to help.
NIDS technical overview
Overview
NIDS (Network Intrusion Detection System) is a Meter Firewall feature that monitors network traffic for suspicious activity and potential security threats. NIDS operates in two modes: detect-only (IDS) for logging threats, and protect (IPS) for automatically blocking malicious traffic. This enables you to identify and respond to security incidents happening on your network in real time.
Use cases
- Monitor network traffic for malware, command-and-control communications, and exploit attempts
- Automatically block known threats before they can compromise devices on your network
- Meet compliance requirements for network security monitoring and threat detection
- Detect suspicious behavior patterns in encrypted traffic through metadata analysis
- Identify compromised devices communicating with malicious external servers
- Generate security event logs for analysis in your SIEM platform
Prerequisites
- Meter Firewall (mc06 or mc11)
- NOS version supporting NIDS (contact support for minimum version)
- Dashboard access with Partner or Admin write permissions
- At least one configured VLAN to monitor
How NIDS works
Detection engine
NIDS operates locally on your Firewall, analyzing network traffic in real time without sending packet data to Meter's backend. The system uses signature-based detection powered by the Emerging Threats ruleset, which contains thousands of rules for identifying known attack patterns, malware, and suspicious network behavior.
Traffic analysis
For unencrypted traffic (HTTP, DNS, etc.): The Firewall inspects both packet payloads and metadata to detect threats such as malware downloads, command-and-control activity, and exploit attempts. This enables deep packet inspection and signature-based threat detection.
For encrypted traffic (HTTPS, TLS, etc.): The Firewall cannot decrypt encrypted content. Instead, it analyzes metadata and behavioral patterns including:
- SNI information from TLS handshakes
- Connection timing, frequency, and destination patterns
- Packet sizes and flow characteristics
- Certificate information
Privacy: Meter NIDS never breaks encryption. The contents of your encrypted traffic remain completely private and secure, end to end.
Operating modes
Detect mode (IDS):
- Monitors traffic and generates event logs when threats are detected
- No automatic blocking - all traffic continues flowing normally
- Allows security teams to review threats before taking action
- Events can be manually converted to persistent firewall rules
Protect mode (IPS):
- Automatically blocks traffic matching high-severity threat signatures
- Generates temporary ACL rules to prevent future connections
- Configurable rule duration (default 24 hours)
- Includes suppression capabilities for false positives
Traffic scope
North-South traffic (default):
- Monitors traffic entering or leaving your network through the internet
- Scans traffic between selected VLANs and external destinations
East-West traffic (optional):
- Monitors traffic between VLANs within your network
- Useful for detecting lateral movement from compromised devices
- Can be enabled per NIDS configuration
Threat categories
NIDS organizes detection rules into categories based on threat type. Each category can be independently configured for detect or protect mode. The complete list of categories and signatures is visible in Dashboard after enabling NIDS (navigate to Firewall > NIDS > Categories or Signatures tabs).
All threat categories
| Category | Description | Potentially impacted services |
|---|---|---|
| activex | ActiveX-related exploits and attacks | Legacy web applications, Internet Explorer components |
| adware-pup | Adware and potentially unwanted programs | Browser extensions, bundled software installers |
| attack-response | Responses indicating successful attacks | Compromised servers returning attack payloads |
| bad-unknown | Generic malware and suspicious traffic patterns | Malware downloads, compromised device communications |
| botcc | Botnet command and control communications | Infected devices communicating with bot controllers |
| chat | Instant messaging and chat protocols | IRC, instant messaging clients |
| coinmining | Cryptocurrency mining traffic | Mining pool connections, mining software |
| current-events | Threats related to current security events | Zero-day exploits, trending attack campaigns |
| ddos | Distributed denial of service attacks | Network flooding, amplification attacks |
| decode-error | Protocol decoding errors indicating attacks | Malformed packets, protocol abuse |
| deleted | Previously active rules now deprecated | N/A |
| dns | DNS-based attacks and tunneling | DNS exfiltration, DNS tunneling, cache poisoning |
| dos | Denial of service attacks | Network resource exhaustion |
| drop | Known malicious IP addresses | Connections from known bad actors |
| dshield | DShield listed malicious sources | Traffic from DShield blocklist IPs |
| exploit | Exploit attempts against vulnerabilities | Buffer overflows, remote code execution |
| exploit-kit | Exploit kit delivery mechanisms | Drive-by downloads, malicious ad networks |
| external-ip-check | Services that report public IP addresses | IP lookup services (ipinfo.io, whatismyip.com) |
| ftp | FTP-based attacks | FTP brute force, FTP bounce attacks |
| games | Online gaming traffic | Game client updates, gaming protocols |
| hunting | Suspicious behaviors worth investigating | Anomalous patterns, reconnaissance activity |
| icmp | ICMP-based attacks | Ping floods, ICMP tunneling |
| icmp-info | Informational ICMP traffic | Network diagnostics, traceroute |
| inappropriate | Inappropriate content access | Adult content, offensive material |
| info | Informational events | Non-threatening but notable traffic |
| malware | Known malware communications | Command and control servers, data exfiltration |
| misc | Miscellaneous detections | Uncategorized security events |
| mobile-malware | Mobile device malware | Android/iOS malware, mobile C2 |
| netbios | NetBIOS-based attacks | SMB attacks, Windows file sharing exploits |
| p2p | Peer-to-peer file sharing | BitTorrent, eDonkey, other P2P protocols |
| phishing | Phishing site connections | Credential theft attempts, fake login pages |
| policy-violation | Organizational policy violations | Unauthorized protocols, blocked services |
| protocol-command-decode | Protocol command decoding issues | Command injection, protocol abuse |
| rpc | Remote procedure call attacks | RPC exploits, DCE/RPC attacks |
| scada | SCADA/ICS protocol attacks | Industrial control system exploits |
| scan | Network scanning and reconnaissance | Port scans, vulnerability scans, network mapping |
| shellcode | Shellcode execution attempts | Buffer overflow payloads, RCE attempts |
| smtp | Email protocol attacks | SMTP relay abuse, email injection |
| snmp | SNMP-based attacks | SNMP enumeration, community string abuse |
| sql | SQL injection attacks | Database exploitation attempts |
| stream-event | TCP stream anomalies | Connection hijacking, stream manipulation |
| successful-admin | Successful administrative access | Privileged command execution |
| successful-recon-largescale | Large-scale reconnaissance | Mass scanning, network mapping |
| successful-recon-limited | Limited reconnaissance | Targeted scanning |
| successful-user | Successful user-level access | User account compromise |
| suspicious | Suspicious but unconfirmed threats | Anomalous traffic patterns |
| targeted | Targeted attacks | APT activity, spear-phishing |
| telnet | Telnet protocol attacks | Telnet brute force, Telnet exploits |
| tftp | TFTP-based attacks | TFTP abuse, unauthorized file transfers |
| tor | Tor network traffic | Tor entry/exit nodes, hidden services |
| trojan-activity | Trojan command and control | Backdoor communications, RAT activity |
| unsuccessful-user | Failed user access attempts | Failed login attempts, authentication failures |
| user-agents | Suspicious user agent strings | Automated tools, malicious bots |
| voip | VoIP protocol attacks | SIP attacks, VoIP fraud |
| web-application-activity | Web application interactions | API calls, web application traffic |
| web-application-attack | Web application exploits | XSS, CSRF, directory traversal |
| web-client | Web client vulnerabilities | Browser exploits, client-side attacks |
| web-server | Web server attacks | Web server exploits, CGI attacks |
| worm | Worm propagation attempts | Self-replicating malware, network worms |
Example signatures
Below are representative signatures from various categories to illustrate the types of threats detected:
| Signature ID | Signature name | Category | Severity | Description |
|---|---|---|---|---|
| 2019284 | ET ATTACK_RESPONSE Output of id command from HTTP server | attack-response | High | Detects successful command execution on compromised web servers |
| 2100498 | GPL ATTACK_RESPONSE id check returned root | attack-response | High | Identifies root-level command execution responses |
| 2054168 | ET INFO External IP Lookup Domain in DNS Lookup | external-ip-check | High | Monitors connections to IP lookup services like ipinfo.io |
| 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | bad-unknown | High | Detects suspicious executable downloads via direct IP addresses |
| 2024788 | ET MALWARE Generic Coinminer Pool Connection | coinmining | High | Identifies cryptocurrency mining pool traffic |
Severity levels
Rules are assigned severity levels to indicate threat priority:
- Critical (1): Immediate threats requiring urgent attention - active attacks, known malware
- High (2): Significant security concerns - suspicious behavior, policy violations
- Medium (3): Potentially unwanted activity - information gathering, reconnaissance
- Low (4): Informational events - unusual but not necessarily malicious traffic
You can configure minimum severity thresholds separately for detect and protect modes. For example, set detect to log Medium+ events while protect only blocks Critical threats.
Performance considerations
Firewall models
1G Firewall (mc06):
- No performance impact when NIDS is enabled
- Suitable for networks with up to 1 Gbps throughput requirements
10G Firewall (mc11):
- Overall throughput limited to under 5 Gbps when NIDS is enabled
- Consider traffic patterns and peak usage when enabling
Optimization strategies
- Start with detect mode to understand event volume before enabling protect
- Monitor only business-critical VLANs initially
- Use category-level controls to disable detection for known-safe services
- Apply suppressions for persistent false positives
- Disable east-west detection if inter-VLAN traffic is considered trusted
Integration with firewall rules
Automatic ACL generation
When protect mode blocks traffic, NIDS automatically creates a temporary ACL rule to prevent future connections from the same source. These rules:
- Apply to the specific source IP, destination IP, and port combination
- Expire after the configured duration (default 24 hours)
- Appear in the Protection tab of the NIDS interface
- Can be deleted manually if needed
Manual ACL creation
From any detection event in the Detection tab, you can manually create a persistent ACL rule:
- Click on the event timestamp to view details
- Click Create ACL rule at the bottom of the event details
- Edit the rule parameters (IP ranges, ports, direction)
- The rule appears in Firewall > ACLs as a permanent rule
ACL rules created from NIDS events are marked with a NIDS icon and link back to the original detection event.
SIEM integration
NIDS events can be exported to your Security Information and Event Management platform for centralized monitoring and analysis. Events are delivered in CloudEvents format via AWS Kinesis Data Streams.
Exported event data includes:
- Source and destination IP addresses and ports
- Threat signature and category information
- Severity level and action taken (allowed/blocked)
- HTTP metadata (hostname, URL, user agent)
- Flow statistics (packet counts, byte counts)
- TLS SNI information when available
For configuration details, see SIEM integration technical overview.
Best practices
Initial deployment:
- Begin with detect mode to baseline normal traffic patterns
- Monitor events for 1-2 weeks before enabling protect mode
- Review category-specific event volumes to identify false positives
- Test protect mode on a single non-critical VLAN first
Ongoing operations:
- Regularly review detection events for new threat patterns
- Create permanent ACL rules for confirmed malicious traffic
- Use suppressions sparingly - prefer category-level adjustments
- Export events to your SIEM for long-term analysis and correlation
- Update minimum severity thresholds based on your risk tolerance
Performance management:
- Monitor Firewall CPU and memory utilization
- Consider disabling east-west detection if not required
- Exclude trusted internal services using suppressions
- Review and delete expired IPS rules periodically
Limitations
Current limitations:
- Cannot inspect encrypted traffic contents (by design for privacy)
- Uses Emerging Threats ruleset - custom signatures not yet supported
- IPS rules may persist in Dashboard UI after reboot until manually deleted
- East-west behavior configurations may require additional tuning for complex network topologies
Not supported:
- SSL/TLS inspection or man-in-the-middle decryption
- Custom signature creation
- Learning mode or behavioral analytics
- Integration with third-party threat intelligence feeds
Related resources
- Configuring NIDS - Step-by-step configuration guide
- SIEM integration technical overview - Export events to your SIEM
- Configuring SIEM integration - Set up event exports
- Firewall ACLs - Managing firewall rules
Need help?
Last updated by Meter Support Engineering on 09/30/2025