En/3.2/Intrusion Prevention System (IDS IPS)
Configuring an IDS/IPS with Zentyal
Configuration of the IDS/IPS System in Zentyal is very easy. First, you have to specify which network interfaces you need IDS/IPS to listen on. After this, you can choose different groups of filters that will be applied to the captured traffic in order to detect suspicious activity.
You can access both configuration options through the IDS/IPS menu. In this section, on the Interfaces tab, a table with all the configured network interfaces will appear. All of them are disabled by default due to the increased network latency and CPU consumption caused by the inspection of the traffic. However, you can enable any of them by clicking on the checkbox.
In the Rules tab you have a table preloaded with all the Snort rulesets installed on your system. A typical set of rules is enabled by default. From this interface you can choose if you want to just Log (Default), or Block or Log & Block the source of the suspicious traffic.
You can save CPU time disabling those rules you are not interested in, for example, those related to services not available in your network. If you have extra hardware resources you can also enable additional rules.
The IDS/IPS module is integrated with the Zentyal logs module so if the latter is enabled, you can query the different IDS alerts using the usual procedure. Similarly, you can configure an event for any of these alerts to notify the systems administrator.
For additional information, see the Logs chapter.