Activating IDS (Intrusion Detection System) on IpCop

IPCop includes the Snort intrusion detection system, which is quite a powerful system for detecting various attacks on internal servers. Using IPCop to protect a servers on DMZ network you will find Snort quite useful. The added benefit of an IDS is that we can see what is passing through our network and attempt to isolate any traffic that appears malicious. This is important as it’s a function many firewalls lack (except those with layer-seven support, which are termed application-layer firewalls). Since firewalls work at the lower layers of
network communication their filtering rules are generally limited to IP addresses,
ports, time of day, and only a few other criteria.

IPCop makes setting up Snort very simple. Just go to the “IDS” tab on the IPCop menu under Services, and tick the “Enabled” box. To get latest snort rulsets you have to register in snort.org and generate Oink code. Check box “Sourcefire VRT rules for registered users ” since option with subscription is for those who pay. Save, Refresh, Download, Aply and chose which interfaces to monitor. Should look like this:

After that remember to check your log regularly at logs menu:

Next one need to set up log sending to remote server where it can be processed.

Reference:

Configuring IPCop Firewalls Closing Borders with Open Source ISBN 1-904811-36-1

Written by zigurds

March 14, 2011 at 16:21

Posted in Progress & Tasks

3 Responses

Subscribe to comments with RSS.

Refering to a book could benefit from an amazon link.

mbnielsen

March 16, 2011 at 14:25

Reply
- something went wrong with the link.
  
  mbnielsen
  
  March 16, 2011 at 14:26
  
  Reply
  - Link to Amazon if you want to by a book: http://www.amazon.co.uk/Configuring-IPCop-Firewalls-Closing-Borders/dp/1904811361/ref=sr_1_1?ie=UTF8&qid=1300281911&sr=8-1
    
    zigurds
    
    March 16, 2011 at 17:27

Firewall Project