The community-maintained documentation platform of IPFire

User Tools

Site Tools


Intrusion Detection System

What is it?

An Intrusion Detection System (IDS) is a program or a framework supposed to detect, analyse and block network attacks. It does not replace a packet filter (which is enabled in IPFire by default, see firewall) but can eliminate some limitations of it.

There are basically two types of IDSs: Host-based Intrusion Detection Systems (HIDS), which are running on a single computer, and Network-based Intrusion Detection Systems (NIDS). A NIDS is able to protect a complete network and is normally running on a firewall, gateway or dedicated server. IPFire features a NIDS.

How does it work?

A packet filter can be compared to a doorman: It has only limited information about a network packet, such as; source, destination and type. However, an Intrusion Detection System is more like a security guard, who is able to inspect the visitor for arms or spy tools. Further, the security guard has access to lists of wanted and other documents.

So an IDS is able to detect harmful network packets because of their content, because the source address appears in a blacklist or because the network traffic looks like a known attack. A packet filter (normally) is unable to operate at this level. Again, IDS and packet filter cannot replace each other, they are both important to provide a good level of network security.

The IDS used by IPFire is called Snort. Snort uses rules, which are combined in rule databases and can be downloaded from certain web sites. These rules contain patterns or blacklisted IPs.

What rules are available?

There are four rule sources available:

  1. Community Rules – They are free and community-maintained rules (further information) and cover scanning activities, attack patterns agains various protocols, blacklists and more. No registration is required to use those rules.
  2. Snort/VRT GPLv2 Community Rules – These are free and GPL licenced snort rules. Usually, the quality is good. Accoding to the Snort blog, no registration is required.
  3. Sourcefire VRT rules for registered users – These rules are usually more than 30 days old and can be used for free. Registration is required. Usually, the quality of these rules is a bit better than these of the Community Rules.
  4. Sourcefire VRT rules with subscription – Same as above, but they are chargeable and more current. These might be useful in productive environment, where you need reliable and up-to-date IDS rules.

Disadvantages of an IDS

There are some negative aspects when running an IDS. Most are not critical but some could prevent you from setting up the IDS on IPFire.

  1. An active IDS requires a considerable amount of system resources (CPU load and memory). In general, 2 Gigabytes of RAM and a fast CPU (few faster cores are better than many slow ones) should be there if you use an IDS.
  2. Until Core Update 100, the IDS was not running on ARM devices because of a bug. For this reason and to ensure your system does not have known security vulnerabilities, please ensure you always run the latest version of IPFire available.
  3. It is strongly recommended to install and use the Guardian Add-On if you are using an IDS. Guardian automatically blocks IP addresses which trigger IDS alerts. Without it your IDS only reports problems but does not actually protect your network in any way.
  4. Currently IPFire does not feature automatic rule updates, so you'll need to check for and install rule updates manually every week. (An advanced user may create a cron job)
  5. An IDS is not a magic bullet. Please use this guide to make your firewall system stronger against attacks: security_hardening

Choose the networks your IDS will protect

First, open the WebUI and go to “Services|Intrusion Detection”; the page is not a very big deal at this moment since the IDS is not running.

Second, choose the network interfaces you want the IDS to be active on. Usually, you might at least enable it for the RED interface since it should protect you against attacks from the internet. But also internal networks, such as GREEN and BLUE, can be monitored.

The more networks you check, the more system resources will be later needed for the IDS. Further, the rules you will activate in the next step will affect all activated networks.

Hit “Save” after you made your choice.

Download the rule database

Choose the rule database you want to use from the dropdown box and enter the registration code in the input field, if necessary. Again, hit “save” for the changes to take effect.

Then, download the rule database by clicking at “download new ruleset”. This procedure may take a while; the actual speed depends from your internet connection speed and the clock speed of your CPU.

Choose rules

This part is the most difficult: You need to choose which rules should be active.

This decision depends on the needs of your network (like operating systems in use, active services, protocols in use). Please refer to the homepage of your rule source to get further information about the purpose of some rule categories;

Some rules are based on blacklists (such as the Emerging Threats CIArmy list) and indicate that a certain IP has a bad reputation for some reason. This does not necessarily mean that it attacked your firewall, in case it appears in the log files, unless it triggered some other rules. Nevertheless, it is usually safe to use IDS rules based on blocklists since they are very conservative most of the time, making blocking a legitimate IP address very unlikely.

We cannot give you any advice here.

Select the rules you want to be active by clicking at the checkbox. After that, hit the “update” button at the end of the web page. The IDS will restart now to apply the changes.

It is highly recommended that you also install and activate the Guardian Add-On

Further readings

configuration/services/ids.txt · Last modified: 2018/03/15 16:00 by Jon Murphy