HxHippy

Intrusion Detection Systems

Deploy and configure IDS/IPS with Suricata and Snort for threat detection.

Last updated: 2025-01-15

Intrusion Detection Systems

Detect and prevent network-based attacks with IDS/IPS.

IDS vs IPS

Feature IDS IPS
Action Detect & Alert Detect & Block
Placement Passive/Span Inline
Impact None Can block traffic
Risk Missed attacks False positives

Suricata Installation

# Debian/Ubuntu
sudo apt install suricata

# Install rules
sudo suricata-update

# Check version
suricata --build-info

Suricata Configuration

/etc/suricata/suricata.yaml

vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "[80,8080,8443]"
    SHELLCODE_PORTS: "!80"
    SSH_PORTS: 22

default-rule-path: /var/lib/suricata/rules

af-packet:
  - interface: eth0
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert
        - http
        - dns
        - tls
        - files

Running Suricata

# Test configuration
sudo suricata -T -c /etc/suricata/suricata.yaml

# Run in IDS mode
sudo suricata -c /etc/suricata/suricata.yaml -i eth0

# Run as service
sudo systemctl enable suricata
sudo systemctl start suricata

# Check logs
tail -f /var/log/suricata/eve.json

Custom Rules

Rule Syntax

action protocol src_ip src_port -> dst_ip dst_port (options)

Example Rules

# Detect SSH brute force
alert ssh any any -> $HOME_NET 22 (msg:"SSH brute force attempt"; flow:to_server; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000001; rev:1;)

# Detect outbound IRC
alert tcp $HOME_NET any -> any 6667 (msg:"Outbound IRC traffic"; sid:1000002; rev:1;)

# Detect SQL injection
alert http any any -> $HOME_NET any (msg:"SQL Injection attempt"; content:"UNION"; nocase; content:"SELECT"; nocase; sid:1000003; rev:1;)

Add Custom Rules

# Create custom rules file
sudo nano /var/lib/suricata/rules/local.rules

# Update suricata.yaml
rule-files:
  - suricata.rules
  - local.rules

# Reload rules
sudo suricatasc -c reload-rules

Snort Installation

# Debian/Ubuntu
sudo apt install snort

# Configure during install:
# - Interface to listen on
# - HOME_NET range

Snort Configuration

/etc/snort/snort.conf

# Network variables
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET

# Paths
var RULE_PATH /etc/snort/rules
var LOG_DIR /var/log/snort

# Output
output alert_fast: alert.log
output unified2: filename snort.log, limit 128

# Rules
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules

Running Snort

# Test configuration
sudo snort -T -c /etc/snort/snort.conf

# Run in IDS mode
sudo snort -A console -q -c /etc/snort/snort.conf -i eth0

# Run as daemon
sudo snort -D -c /etc/snort/snort.conf -i eth0 -l /var/log/snort

IPS Mode (Inline)

Suricata IPS

# suricata.yaml
af-packet:
  - interface: eth0
    copy-mode: ips
    copy-iface: eth1

NFQueue Mode

# Set up NFQUEUE
sudo iptables -I FORWARD -j NFQUEUE

# Run Suricata with NFQUEUE
sudo suricata -c /etc/suricata/suricata.yaml -q 0

Alert Analysis

Parse Suricata Logs

# View alerts
cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

# Count by signature
cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert") | .alert.signature' | sort | uniq -c | sort -rn

# Top source IPs
cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert") | .src_ip' | sort | uniq -c | sort -rn | head

Rule Management

Update Rules

# Suricata Update
sudo suricata-update

# Enable specific ruleset
sudo suricata-update enable-source et/open

# List sources
sudo suricata-update list-sources

Performance Tuning

# suricata.yaml
threading:
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]
    - detect-cpu-set:
        cpu: [ "1-3" ]

stream:
  memcap: 64mb

flow:
  memcap: 128mb

Best Practices

  1. Tune rules - Disable noisy/irrelevant rules
  2. Monitor performance - Watch CPU and memory
  3. Regular updates - Keep rules current
  4. Test rules - Avoid false positives
  5. Log retention - Archive for forensics
advanced Security Updated 2025-01-15
  • ids
  • ips
  • suricata
  • snort
  • intrusion detection
  • network security