En/3.0/Intrusion Detection System (IDS)
Zentyal integrates Snort (2), one of the most popular IDS, available for both Windows and Linux systems.
Configuring an IDS with Zentyal
Configuration of the Intrusion Detection System in Zentyal is very easy. You only have to enable or disable a number of elements. First, you have to specify which network interfaces you need IDS to listen on. After this, you can choose different groups of rules that will matched to the captured packets in order to obtain alerts, in case of positive results.
You can access both configuration options through the IDS menu. In this section, on the Interfaces tab, a table with all the configured network interfaces will appear. All of them are disabled by default due to the increased network latency and CPU consumption caused by the inspection of the traffic. However, you can enable any of them by clicking on the checkbox.
In the Rules tab you have a table preloaded with all the Snort rulesets installed on your system. A typical set of rules is enabled by default.
You can save CPU time disabling those rules you are not interested in, for example, those related to services not available in your network. If you have extra hardware resources you can also enable additional rules.
So far the basic operation of the IDS module has been described. This is not very useful by itself because you will not be notified when the system detects intrusions and security attacks against the network. As you are going to see, thanks to the Zentyal logs and events system, this notification can be made simpler and more efficient.
The IDS module is integrated with the Zentyal logs module so if the latter is enabled, you can query the different IDS alerts using the usual procedure. Similarly, you can configure an event for any of these alerts to notify the systems administrator.
For additional information, see the Logs chapter.