IPCop firewall part II: IDS(Snort) and Iptraf addon.

      2 Comments on IPCop firewall part II: IDS(Snort) and Iptraf addon.

In this second part of IPCop firewall tutorial, we’ll go over IDS(snort) and Iptraf addon. I consider Ipcop a robust firewall, and one of its main feature is the ability to detect attacks as they happen on the network (Snort), also another good feature of IPCop is the addons, through addons you can easy install lots of application, that do not come included in the IPCop installation, like Iptraf, Dansguardian, Openvpn, Asterisk among others.
In this tutorial we’ll cover some of the features and addons of IPCop:

1- Setting up IPCop’s IDS(snort).
2- Installing Iptraf addon.

Intrusion Detection System (snort).
Setup:
IPCop contains a powerful intrusion detection system, Snort, which analyses the contents of packets received by the firewall and searches for known signatures of malicious activity, it does this by installing snort rules that generate log files to tell you what attacks are happening on your network as well as where are these attacks coming from.
The first thing you need to do is enable the interface to use Snort, for this tutorial we will be only enable the IDS on RED interface, (keep in mind that snort tends to consume 50M of RAM per each interface you enable Snort on).
Next you need to get the Oink Code in order to download the Snort rules, for that you will need to register with snort, and once you are logged in click on the Get Code button to create your Oink Code.
Once you get your code you need to paste it in the appropriate box, in order to download the Snort rules, these rules will detect what kind of intrusion attempts are happening on your network, and they will show under the IDS Logs tab.
Reviewing the IDS logs:
The logs page shows incidents detected by the IPCop Intrusion Detection System. These logs consists of a number of items for each detected incident.
– Date
– Name: a description of the incident.
– Priority: (if available). This is the severity of the incident, graded as 1(bad), 2(not so bad), 3(possibly bad).
– IP Info: the ip identifies the address and port of the source and target involved in the incident, each ip address is a hyperlink which can be use to perform a DNS lookup, and obtain available information about it’s registration and ownership.
– Reference: hyperlinked URLs to any available sources of information for this incident
– SID: the Snort ID number.

Analysing the IDS logs is an important part of protecting your network, that way you can gather information about the attacker (source ip, port, company that registered the ip) and that way you can device a plan to further protect your network like blocking an entire ip range that could be attacking your network, you also get good idea about the services that are under attack.
Note: keep in mind that while analyzing the logs you may encounter “false positives”, which are rules triggered by applications that aren’t necessary attacking your network.

Installing Iptraf addon:
Iptraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, nodes, IP checksum errors, and others. In order to install the Iptraf as well as many others addons available for IPCop, you’ll have to install the Addon server MOD first, and can be downloaded from here
For a list of all the addons available to IPCop visit the IPCop addons page here

For this tutorial I’m using windows as the client machine to connect to IPCop and doing the install, so there are several things you’ll need.
1- Putty
2- Winscp or Filezilla

click here to watch video

Share This!

2 thoughts on “IPCop firewall part II: IDS(Snort) and Iptraf addon.

  1. admin Post author

    Did you registered with snort and went to their website to download the rules set. Once you download the rules click save first and then apply.

  2. nam

    yes, I registered.
    At first, after install IPCop v1.4.20, I setting IDS.I configured IDS the same you, I had a message “HTTP::Response=HASH->code registered md5”.
    When I replaced “my $rulesbranch=”2.6″; by my $rulesbranch=”2.8″;”, finished download and click apply I had message “snort failure to start”

Leave a Reply

Your email address will not be published.