Intrusion Detection System (IDS)¶
Introduction to Intrusion Detection System¶
Zentyal integrates Snort [2], one of the most popular IDS, available for both Windows and Linux systems.
| [2] | http://www.snort.org |
Configuring of an IDS with Zentyal¶
Configuration of the Intrusion Detection System in Zentyal is very easy. You only have enable or disable a number of elements. First, you have to specify in which network interfaces you want to enable the IDS listening. After this, you can choose different groups of rules that will matched to the captured packets in order to get alerts in case of positive results.
You can access both configuration options through the IDS menu. In this section, on the Interfaces tab a table with all the configured network interfaces will appear. All of them are disabled by default due to the increased network latency and CPU consumption caused by the inspection of the traffic. However, you can enable any of them by clicking on the checkbox.
Network interface configuration for IDS
In the Rules tab you have a table preloaded with all the Snort rulesets installed on your system. A typical set of rules is enabled by default.
You can save CPU time disabling those rules you aren’t interested in, for example, those related to services not available in your network. If you have extra hardware resources you can also enable additional rules that you are interested in. You can enable or disable a rule as with the interfaces.
IDS rules
IDS Alerts¶
With what you have seen until now you can have the IDS module running, but it wouldn’t be very useful because it wouldn’t notify you when it detects intrusions and security attacks to your network. As you are going to see, thanks to the Zentyal logs and events system you can make this task easier and efficient.
The IDS module is integrated with the Zentyal logs module so if the latter is enabled, you can query the different IDS alerts using the usual procedure. Likewise, you can configure an event for any of these alerts so that the system administrator will be notified by any of the different means available.
For additional information, see the Logs chapter.