Hello,
there are two security vulnerabilities in IPFire's IDS/IPS (snort/Guardian) which I consider quite critical:
(a) Guardian does not malicious destination IP addresses As described in bug #11532, it is possible to access a "bad" IP address (C&C server, Spamhaus DROP, Dshield, and others) in the internet from a internal network behind IPFire.
This is because Guardian only looks at the source IP of a snort alert, and in this case, it is the firewall's IP which should not be blocked for obvious reason.
There is little change that an admin will notice that the IPS is only working in case of inbound attacks since snort triggers an alert correctly.
Could someone (maintainer?) have a look at Guardian and fix this? Unfortunately, my programming skills are too little for this job. :-|
(b) Snort does not detect internal attacks As described in bug #10273 (which has been reported back in 2012), the IDS is fully working on RED only. Although it can be turned on for GREEN, BLUE and ORANGE, too, it does not capture any attacks in internal networks.
This can be hardly examined from the WebUI, too, since it shows snort being up and running on GREEN and others.
Changing this also allows blocking an infected PC in a local network which is spreading malware. On RED, the internal IP is already NATted.
Maybe Guardian can be configured so it shows a big warning in case of blocked local IPs (internal networks should be clean), but this is kind of a feature request.
See also: * https://bugzilla.ipfire.org/show_bug.cgi?id=10273 * https://bugzilla.ipfire.org/show_bug.cgi?id=11532 (Thanks again to Michael for enabling HTTPS with trusted certificates.)
One question left: If there are attacks from a network connected via VPN, where are they captured by snort? On RED?
I hate bringing up bugs like this - and hope I did not harm anybody :-) - but since this has a security impact, it seems okay to me.
Thanks and best regards, Peter Müller