IDS/IPS

Intrusion Detection Systems

Fantastic tools that can make detection easy. They can look at logs of various kinds and use rule sets to react and alert to any traffic that violates those rules. Open source IDS tools have huge public rule sets both included with the tool and available across the internet. It is my opinion that open source IDS products offer superior detection capability to the premium products on the market due to the power of the community behind the tools and their public sharing of detection rules.

A solution that combines intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM) and PCAP processing, Surricata can quickly identify, stop, and assess the most sophisticated attacks. Truly a fantastic detection engine, it has quickly become a popular choice for IDS functions built into other products, such as the IDS function of Ubiquiti products.

One of the most powerful detection tools on the market Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system.

Writing a SNORT Rule

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html https://blog.rapid7.com/2016/12/09/understanding-and-configuring-snort-rules/ A standard rule is broken down as follows: • [action] • [protocol] • [ip address] – source • [port number] – source • [direction options] • [ip address] – destination • [port number] – destination • [general options] • [detection options] Actions • alert generates an alert and logs the packet • log logs the packet • pass ignores the packet • drop blocks and logs the packet • reject blocks the packet, logs it and then sends a TCP Reset or ICMP Port Unreachable Protocol • TCPUDPICMPIP IP address • any – a wildcard for any IP address • 10.10.10.23 – any single valid IP address • 10.10.10.0/24 – CIDR notation for block ranges • !192.168.0.1/24 – prefixing this field with an exclamation mark means ‘NOT’ • [192.168.1.1,192.168.1.2,192.168.1.3] – comma-separated lists can use the previous syntax Port • any – a wildcard for any port • 443 – any single port number • 1:1024 – port range • [443, 447, etc..] - listing multiple specific ports Direction • <> bidirectional • -> unidirectional General Options • msg is the message that displays in the log/alert • sid is a unique numerical identifier that identifies the rule and has several reserved ranges • rev annotates the revision of a rule • classtype is used to categorise and group common rules and has many defaults Detection options - This set of key:value pairs instructs the scanning engine to detect specific data within packets. • Content - The content keyword forms the core of the rule detection. It can include text, binary data or a mixture of the two. It is important to keep in mind that content keywords are case sensitive. ◇ content: "This is a string of text";content: "|68 65 6c 6c 6f|";content: "Hello |77 6f | rld";content: !"Not this one"; View only certin number of Bytes • depth:3; Starting point for search • offset:20;

Last updated