Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 36: Configuring and Testing IDS/IPS Systems

by | Mar 20, 2025 | 0 comments

Objective

Install and configure an Intrusion Detection and Prevention System (IDS/IPS) using Snort or Suricata. Create custom rules to detect and block malicious traffic patterns, simulate attacks, and verify detection and prevention through log analysis.

Scenario

As a security engineer, you’re tasked with implementing an IDS/IPS solution to monitor and protect the organization’s network. In this exercise, you’ll install and configure Snort or Suricata, create custom detection rules, simulate malicious traffic, and verify the system’s effectiveness in detecting or blocking threats.

⚠️ Important: This exercise should only be performed in a legal and controlled lab environment. Unauthorized network scanning or intrusion attempts are illegal and unethical.

Lab Instructions

Step 1: Install IDS/IPS System

a. Install Snort (Ubuntu Example)

sudo apt update
sudo apt install snort -y
  • Configure Snort during installation by setting the network interface (e.g., eth0) and the home network (e.g., 192.168.1.0/24).

b. Install Suricata (Alternative Option)

sudo apt update
sudo apt install suricata -y
  • Verify the installation:
suricata --build-info

Step 2: Configure IDS/IPS Rules

a. Define Custom Detection Rule (Snort Example)

  • Edit the local rules file:
sudo nano /etc/snort/rules/local.rules
  • Add a rule to detect Nmap scans:
alert tcp any any -> $HOME_NET any (msg:"Nmap Scan Detected"; flags:S; threshold:type both, track by_src, count 20, seconds 3; sid:1000001; rev:1;)
  • Explanation: This rule detects multiple SYN packets indicative of a port scan.

b. Define Custom Rule (Suricata Example)

  • Edit the custom rules file:
sudo nano /etc/suricata/rules/custom.rules
  • Add a rule to detect Nmap scans:
alert tcp any any -> $HOME_NET any (msg:"Nmap SYN Scan Detected"; flags:S; threshold:type both, track by_src, count 20, seconds 3; sid:1000001; rev:1;)
  • Include the custom rules in the configuration:
sudo nano /etc/suricata/suricata.yaml
  • Add:
default-rule-path: /etc/suricata/rules
rule-files:
  - custom.rules

Step 3: Start the IDS/IPS

a. Start Snort

sudo snort -A console -q -c /etc/snort/snort.conf -i eth0

b. Start Suricata

sudo systemctl start suricata
sudo systemctl enable suricata

Step 4: Simulate Malicious Traffic

a. Perform a Port Scan with Nmap

  • On a different machine, run:
sudo nmap -sS <target-ip>
  • Expected Result: The IDS/IPS should detect and log the scan.

b. Simulate Exploits with Metasploit (Optional)

  • Start Metasploit on the attacker machine:
msfconsole
  • Run a known exploit to test detection.

Step 5: Analyze Detection Logs

a. Review Snort Logs

sudo tail -f /var/log/snort/alert
  • Look for entries like:
[**] [1:1000001:1] Nmap Scan Detected [**]

b. Review Suricata Logs

sudo tail -f /var/log/suricata/fast.log
  • Expected log entry:
01/19/2024-14:32:45 [**] [1:1000001:1] Nmap SYN Scan Detected [**]

Step 6: Enable Prevention Mode (IPS)

a. Enable Inline Mode (Snort)

  • Edit Snort configuration to switch from IDS to IPS:
sudo nano /etc/snort/snort.conf
  • Change alert to drop in the custom rule:
drop tcp any any -> $HOME_NET any (msg:"Nmap Scan Blocked"; flags:S; threshold:type both, track by_src, count 20, seconds 3; sid:1000001; rev:2;)
  • Restart Snort:
sudo systemctl restart snort

b. Enable Inline Mode (Suricata)

sudo suricata -c /etc/suricata/suricata.yaml -i eth0 --af-packet
  • Verify that malicious traffic is now blocked instead of just logged.

Step 7: Verify Mitigation

  • Re-run the Nmap scan.
  • Confirm that the scan is detected and dropped.

Solution & Explanation

IDS vs. IPS

  • IDS (Intrusion Detection System): Monitors and alerts on malicious activity.
  • IPS (Intrusion Prevention System): Monitors, detects, and actively blocks malicious traffic.

Custom Rules

  • Rules define what patterns to detect or block.
  • Custom rules allow tailored detection based on the organization’s specific threat model.

Detection and Prevention

  • Alert Mode: Logs and alerts without interrupting traffic.
  • Prevention Mode: Actively drops or blocks malicious packets.

Testing & Verification

  • Detection Verification: Confirm alerts are generated for malicious activity.
  • Prevention Verification: Confirm malicious traffic is blocked.

Validate Logs

sudo cat /var/log/snort/alert
sudo cat /var/log/suricata/fast.log

Security Best Practices

  1. Regularly Update Rules: Download and apply updated rule sets.
  2. Customize Rules: Create custom rules for specific threats.
  3. Log Analysis: Continuously monitor logs for suspicious activity.
  4. Segregate IDS/IPS Traffic: Use dedicated interfaces for monitoring.

Additional Script (Optional)

Automate Snort installation and basic configuration:

#!/bin/bash
# Install and configure Snort IDS
sudo apt update
sudo apt install snort -y
sudo echo 'alert tcp any any -> $HOME_NET any (msg:"Nmap Scan Detected"; flags:S; threshold:type both, track by_src, count 20, seconds 3; sid:1000001; rev:1;)' | sudo tee -a /etc/snort/rules/local.rules
sudo systemctl restart snort

Run the script:

chmod +x setup_snort.sh
sudo ./setup_snort.sh

Conclusion

In this exercise, you installed and configured Snort or Suricata, created custom detection rules, simulated malicious traffic, and verified that the IDS/IPS detected and blocked threats. Implementing IDS/IPS systems is critical for proactive network security and defense against attacks.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *