IDS/IPS (Intrusion Detection / Prevention)?

I bought the Flint2 and am looking for where any IDS/IPS functionality might be buried. I came across this old thread that seems to confirm that IPS was forthcoming (in 2021), but I can't find it anywhere in the WebUI. Happy to go to LUCI if needed, but I was under the impression there's a native way to configure it in the GL.Inet web UI.

I am not an expert on the subject, yet, my understanding that Luci (OpenWrt UI) indeed does not have IDS (Snort3) interface.

If you do utilize pfSense firewall, there is an UI for Snort3:

You can read about Snort for OpenWrt here: OpenWrt & Snort

I had posted about Snort3 package within Gl.iNet repository, as being not the latest release offered.

However, you read my mind somehow, for I was thinking yesterday, if it is possible, for Gl.iNet to build their own Snort3 UI, as a special feature, within the router, outside of Luci.

2 Likes

Using pfSense or OPNsense is of course an alternative solution -- thanks for bringing it up. I am using OPNsense in a different household and it works well, but I was hoping that GL.iNet would have a native solution for this, especially since @alzhao was mentioning in 2021 (in the linked thread above) that they would offer it in firmware 4.x.

Did some work on Snort and it works well. But config is complicated. So need more time to plan.

2 Likes

Thank you for the response. Let me know if you need any testers for the Flint 2 for this.

I would not run a snort on the router. It is my personal opinion on this topic, I know it is technical possible.

Some day I will have my setup, then I will start with port mirroring. All traffic to one host which is doing the analysis. And maybe trigger the actions...

Various solutions for OpenWrt are discussed here: How to implement Traffic monitoring (with iptables, port mirroring, etc) - Installing and Using OpenWrt - OpenWrt Forum

The port mirroring is more reporting/detection, not prevention, correct? If going the route of a separate host, I think the best solution is to build an OPNsense/pfSense router that has all of this functionality out of the box, and use the GL.iNet just as an AP at that point.

Port mirroring is to redirect the defined traffic to another destination in copy. What you'll do with this copy is up to you.

And if you do a snort analysis, you have an IDS (Intrusion Detection System), with the full power of a system, instead of the limited power on your router.
If you want to build an IPS (Intrusion Protection System), you'll need a back channel. Something like an API would be ideal, to trigger a block.

A IDS without IPS is pretty useless, that's right.

Of course, if someone will block the traffic, the IPS is useless as well. But if an attacker is in your LAN and able to block an API request, I think you will have other problems, as well.

Again: I would not claim that is the only or the best way to archive higher network security. But I see more advantages in a standalone central (and maybe redundant) Snort instance.

1 Like