Intrusion Detection Systems
Detect and prevent network-based attacks with IDS/IPS.
IDS vs IPS
| Feature | IDS | IPS |
|---|---|---|
| Action | Detect & Alert | Detect & Block |
| Placement | Passive/Span | Inline |
| Impact | None | Can block traffic |
| Risk | Missed attacks | False positives |
Suricata Installation
# Debian/Ubuntu
sudo apt install suricata
# Install rules
sudo suricata-update
# Check version
suricata --build-infoSuricata Configuration
/etc/suricata/suricata.yaml
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
port-groups:
HTTP_PORTS: "[80,8080,8443]"
SHELLCODE_PORTS: "!80"
SSH_PORTS: 22
default-rule-path: /var/lib/suricata/rules
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert
- http
- dns
- tls
- filesRunning Suricata
# Test configuration
sudo suricata -T -c /etc/suricata/suricata.yaml
# Run in IDS mode
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
# Run as service
sudo systemctl enable suricata
sudo systemctl start suricata
# Check logs
tail -f /var/log/suricata/eve.jsonCustom Rules
Rule Syntax
action protocol src_ip src_port -> dst_ip dst_port (options)Example Rules
# Detect SSH brute force
alert ssh any any -> $HOME_NET 22 (msg:"SSH brute force attempt"; flow:to_server; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000001; rev:1;)
# Detect outbound IRC
alert tcp $HOME_NET any -> any 6667 (msg:"Outbound IRC traffic"; sid:1000002; rev:1;)
# Detect SQL injection
alert http any any -> $HOME_NET any (msg:"SQL Injection attempt"; content:"UNION"; nocase; content:"SELECT"; nocase; sid:1000003; rev:1;)Add Custom Rules
# Create custom rules file
sudo nano /var/lib/suricata/rules/local.rules
# Update suricata.yaml
rule-files:
- suricata.rules
- local.rules
# Reload rules
sudo suricatasc -c reload-rulesSnort Installation
# Debian/Ubuntu
sudo apt install snort
# Configure during install:
# - Interface to listen on
# - HOME_NET rangeSnort Configuration
/etc/snort/snort.conf
# Network variables
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
# Paths
var RULE_PATH /etc/snort/rules
var LOG_DIR /var/log/snort
# Output
output alert_fast: alert.log
output unified2: filename snort.log, limit 128
# Rules
include $RULE_PATH/local.rules
include $RULE_PATH/community.rulesRunning Snort
# Test configuration
sudo snort -T -c /etc/snort/snort.conf
# Run in IDS mode
sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
# Run as daemon
sudo snort -D -c /etc/snort/snort.conf -i eth0 -l /var/log/snortIPS Mode (Inline)
Suricata IPS
# suricata.yaml
af-packet:
- interface: eth0
copy-mode: ips
copy-iface: eth1NFQueue Mode
# Set up NFQUEUE
sudo iptables -I FORWARD -j NFQUEUE
# Run Suricata with NFQUEUE
sudo suricata -c /etc/suricata/suricata.yaml -q 0Alert Analysis
Parse Suricata Logs
# View alerts
cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
# Count by signature
cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert") | .alert.signature' | sort | uniq -c | sort -rn
# Top source IPs
cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert") | .src_ip' | sort | uniq -c | sort -rn | headRule Management
Update Rules
# Suricata Update
sudo suricata-update
# Enable specific ruleset
sudo suricata-update enable-source et/open
# List sources
sudo suricata-update list-sourcesPerformance Tuning
# suricata.yaml
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ]
- detect-cpu-set:
cpu: [ "1-3" ]
stream:
memcap: 64mb
flow:
memcap: 128mbBest Practices
- Tune rules - Disable noisy/irrelevant rules
- Monitor performance - Watch CPU and memory
- Regular updates - Keep rules current
- Test rules - Avoid false positives
- Log retention - Archive for forensics
- ids
- ips
- suricata
- snort
- intrusion detection
- network security