Currently I’m searching for the best way to integrate IPS system on Mikrotik by not using any other hardware. I’ve searched forums and found that most people are using Snort. Today I’ve found very interesting site http://cipherdyne.org/fwsnort/. The main idea is to translate Snort rules to iptables rules which off course could be used on Mikrotik too. Also you can find info on that site about some security issues using Snort or other software as IPS.
So I just wanted to hear your opinion about that and maybe someone is allready using this technique ?
I have some experience to implementation IDS / IPS on mikrotik, after some times I try to bring what the Snort have to mikrotik but I have no idea, so I am doing that in different way. I built my IDS in mikrotik with firewall, script & scheduler.
all of my mikrotik that usually in my clients side will email me if attacked by intruder and give me information about my router name, kind of attack (port scan, ftp or ssh bruteforce), and IP of the attacker.
I use simple method, just detect the malicious connection, put IP attacker on address list and script will send this information by smtp mail to me. So I do not have check one by one my routers.
Apologize if my answer did not satisfy you, I just share my experience that may be useful for you.
Thanks for sharing you experience ! You use quite different approach for the problem, but I think it’s also ok. I’m also thinking about Metarouter with OpenWRT on it with running snort. Then I could direct all traffic to the Metarouter, but I’m little bit afraid of performance issues.
You need a linux machine to compile and run it.
It collects syslog messages from your’s routeros device (there are instructions on how to use it) and adds the attackers on an address list which you can use to block them.
