I.

D OPERATION CHIMERA
INTRUSION DETECTION // SECURITY BLUE TEAM

OPERATION CHIMERA – INTRUSION DETECTION

CONTENTS
[1] What are IDPS systems? This module is designed to give a look into the world of IDPS systems, how, and
[2] Why is it Useful? why they are used in network defense. It is aimed at individuals who are moving
[3] HIDS vs NIDS in to Cyber, so the material is aimed at an entry-level student. We strongly
[4] Signature vs Anomaly encourage further reading using the provided sources and any that you find
[5] Snort yourself. Want to talk to other hackers about this specific module? Join the
[6] Module Challenge discussion in the “intrusion detection” channel within the “Operation Chimera”
category in the SBT Discord server.
This information has been gathered
from public sources and combined with
my own knowledge and experiences WHAT ARE INTRUSION DETECTION &
for the purpose of Operation Chimera,
an online, live blue-team training PROTECTION SYSTEMS?
operation conducted by myself under
the alias Known Divide, for the
SecurityBlueTeam community. Intrusion Detection and Protection Systems are used as a fundamental network
defense. Whilst Firewalls allow us to block incoming and outgoing traffic
Useful Links (copy + paste): based on rules, which builds a barrier between secure and untrusted
[1] networks, IDPS allows us to monitor network and host activity. IDS systems
https://blog.rapid7.com/2016/12/09/un generate alerts when certain criteria are met and reports it to the SIEM console
derstanding-and-configuring-snort- for analysts to investigate (also known as ‘passive’, because they take no
rules/
direct action, except logging and alerting). IPS systems can take pre-
[2]
determined actions when criteria are met, such as blocking attacks and
https://resources.infosecinstitute.com/s
nort-rules-workshop-part-one/#gref closing network connections (also known as ‘active’).
[3]
https://www.snort.org
[4] WHY ARE THEY USEFUL?
https://snort-org-
site.s3.amazonaws.com/production/doc
ument_files/files/000/000/214/original/ As mentioned above, IDPS is a fundamental network defense, and allows us to
snort_manual.pdf?X-Amz- detect and respond to potentially malicious activity over the network, or on
Algorithm=AWS4-HMAC-SHA256&X- systems. Monitoring using signatures, rules, and patterns allows us to identify
Amz- bad activity and work to stop it as soon as possible. Visibility is key for
Credential=AKIAIXACIED2SPMSC7GA security, because if we can’t see an attack happening it has the potential to go
%2F20191101%2Fus-east- on for longer and have more damaging effects. We can also use IDS to
1%2Fs3%2Faws4_request&X-Amz-
generate metrics, which are useful statistics such as the number of attacks, the
Date=20191101T134136Z&X-Amz-
Expires=172800&X-Amz-
types of attacks, etc. This information can be used as justification to implement
SignedHeaders=host&X-Amz- more effective security controls, and to monitor the maturity of security within
Signature=e23fd16b6e79659d1c71cc1f2 the organisation.
cf1ef62099f9a2716f530877c449a53ce91
138e
[5]
https://paginas.fe.up.pt/~mgi98020/pg
r/writing_snort_rules.htm
 I.D OPERATION CHIMERA
INTRUSION DETECTION SYSTEMS MODULE // SECURITY BLUE TEAM

Anything we’ve missed? Please let us

know, so we can add it in here, and
HIDS VS NIDS
create a useful resource for security
professionals worldwide! Generally, we classify IDPS systems into two categories, Host Intrusion
Detection Systems, and Network Intrusion Detection Systems. Both have
If you’ve enjoyed this event, different functions, and for the best results they should be deployed together.
please consider donating
whatever you can spare to buy
me pizza, coffee, and help fund
future events! (even £5/$5 will
make a huge difference, and it only
takes a few seconds).

https://paypal.me/KDMentoring

Image 1 Source:
https://www.comparitech.com/net-
admin/network-intrusion-detection-
tools/

Image 2 Source: HIDS:

https://opensourceforu.com/2016/09/g • These solutions are installed on every system in the network.
rowing-popularity-snort-network-ids/
• HIDS will analyze incoming and outgoing network traffic locally.
• It can also monitor activity on the host, such as file changes and
system alterations that could indicate a potential compromise.
• Uses the host’s resources to work, potential for performance
disruption.
• Reactive, not proactive. Responds when attacks are taking place.

NIDS:
• These solutions are tactically deployed throughout the network.
• NIDS will monitor traffic passing through network equipment.
• Typically come in the form of an easy to deploy dedicated hardware
appliance.
• Open-Source NIDS software can be found on the Internet.
• Enterprise-grade NIDS can be expensive.
• The Sensor Module has the potential to be resource intensive on the
host system.

Using both HIDS and NIDS is a great security solution, and allows for
monitoring of both hosts, and network traffic.
I.D OPERATION CHIMERA
INTRUSION DETECTION SYSTEMS MODULE // SECURITY BLUE TEAM

SIGNATURE-BASED VS ANOMALY-BASED
There are two modes of operation for both HIDS and NIDS, signature-based
and anomaly-based. Usually these systems will run both methods in order to
be the most effective, but some may be running one or the other.

Signature-Based:
• Pre-determined patterns are used to identify and classify events.
• Attack profiles are stored in a database and have specific indicators
that when met signifies that type of attack is occurring.
• A huge advantage of signatures is that if a new vulnerability is
released, and someone creates a signature, you can detect and
defend against this attack.
• Example: 10 failed authentication attempts to SSH with different
passwords. IDS matches this specific activity, and generates an alert
for credential brute forcing.

Anomaly-Based:
• An anomaly is an unexpected event or pattern.
• A baseline of ‘normal’ activity is taken, and any changes to that are
classed as anomalies.
• Example: A user account that is only used 9am-5pm is logged in at
2:13am (different from expected activity). The IDS will generate an
alert.

SNORT

Snort is an open-source NIDS that works on Windows, Linux and Unix (Sorry
MacOS users!), developed in 1998. Written by Martin Roesc, this is the most
common IDS in deployment around the world. Although primary an IDS, Snort
can be used as an IPS if needed. Snort works to examine traffic across the
network, and match observed activity against a set of rules (signatures), and
then generate alerts when suspicious network activity is identified, so that
I.D OPERATION CHIMERA
INTRUSION DETECTION SYSTEMS MODULE // SECURITY BLUE TEAM

humans can take appropriate action. Snort can run in the three following
modes:
• NIDS Mode - Monitor and analyze traffic using rules. Provides real-
time alerting. (Use snort -dev -l ./log -h 192.168.1.0/24 -c
/etc/snort/snort.conf to start this mode. Requires a directory in the
current location called ‘log’)

• Logging Mode - Monitor traffic and record all packets to the disk of
the host system. (Use snort -dev -l ./log to start this mode. Requires a
directory in the current location called ‘log’)

• Sniffer Mode - Monitor network packets and show them on the Snort
console. (Use snort -v to start this mode)

Next I’ll show you how to install Snort to protect your home network. You will
need to be the root user in whichever Linux distribution you want to use.

[1] Installing Snort

[2] Installing Dependencies
[3] Snort’s Configuration File
[4] Snort Rules

[1] Installing Snort

Run the command sudo apt-get install snort and press y when asked.

When you see the below screen, we can press [Enter] to continue. We do not
need to alter the IP range, because we want Snort to protect our private home
network (192.168.0.0/16).
I.D OPERATION CHIMERA
INTRUSION DETECTION SYSTEMS MODULE // SECURITY BLUE TEAM

Let’s make sure Snort installed successfully by querying the version.

[2] Installing Snort Dependencies

Snort has a lot of dependencies – these are other programs that it needs to run
properly. We need to install the following:

• Apache2 (for our web server)

• MySQL-server (for our database)
• PHP5 (for the server-based script)
• PHP5-MySQL
• PHP5-gd (for graphics handling)
• PEAR (PHP Extension and Application Repository)

We can do this all in one command (you can copy-paste):

apt-get install apache2 php php-mysql php-gd php-pear

[3] Snort’s Configuration File

The snort.conf file (located in /etc/snort) is where all of the configurations are
stored for Snort, which is used when running in NIDS mode. This file is really
straightforward, and there are comments inside that tell you what each section
does, and how to change it. Use the command gedit /etc/snort/snort.conf to
open the file in a text editor, and take a look around and become familiar with
what this file can do!

By default, the HOME_NET value (the network Snort will be protecting) is set
to “any”, so we need to change this to match our home network (in my case
192.168.1.0/24. To check your VM’s IP, run ifconfig, and look for the
appropriate network adapter and associated IP address). Below is a
screenshot of my snort.conf file, after replacing “any” with “192.168.1.0/24”.
I.D OPERATION CHIMERA
INTRUSION DETECTION SYSTEMS MODULE // SECURITY BLUE TEAM

[4] Snort Rules

Snort Rules are written in the following format:
<Rule Action> <Protocol> <Source IP Address> <Source Port> <Direction>
<Destination IP Address> <Destination port > (rule options)

Actions – Something that happens when a rule is matched:

• log will log the packet to disk
• alert will generate an alert and log the packet to disk
• pass will ignore the packet
• drop blocks and logs the packet to disk
• reject blocks the incoming packet, logs it and then sends a TCP Reset or
ICMP Port Unreachable response to the source IP

Protocol – The type of protocol we’re looking for:

• tcp transmission control protocol
• udp user datagram protocol
• ip internet protocol
• icmp internet control message protocol

Source/Destination IP – The IP address of the communication:

• single ip defining a single IP (Ex: 10.10.10.173)
• ip range(CIDR) defining a range of IPs (Ex: 192.168.1.0/24)
• not ip address is not the following IP (Ex: !172.16.100.5)
• any wildcard search for any IP

Source/Destination Port – The port number used to communicate:

• single port defining a single port (Ex: 80)
• port range defining a range of ports (Ex: 1:2000)
• any wildcard search for any port

Direction Operator – Direction for the rule to match:

• directional one direction (-> or <-)
• bidirectional either direction (<>)

So here’s an example:
alert tcp any any -> 192.168.1.43 22 (msg:”Potential SSH connection to
protected host!”; sid:1; rev:1; )
This rule will generate an alert when TCP traffic is sent from any host and any
port towards 192.168.1.43 on port 22. A custom message will be displayed
“Snort has detected a potential SSH connection to protected host!”.
I.D OPERATION CHIMERA
INTRUSION DETECTION SYSTEMS MODULE // SECURITY BLUE TEAM

If we wanted to monitor for any internal SSH activity, something that could be a
sign of a malicious actor performing lateral movement (moving between
systems). We could use a rule such as:
alert tcp $HOME_NET any -> $HOME_NET 22 (msg:"Possible internal SSH
session detected!"; flags: S+; sid:10000001; rev: 1;)
This rule will generate an alert when TCP traffic is sent from a $HOME_NET
IP and any port towards a $HOME_NET on port 22. A custom message will
be displayed “Possible internal SSH session detected!” provided the packet
has the TCP SYN flag enabled.

Look at the useful sources at the top of this document, as you’ll need to write
rules for the Challenge!
Snort comes with a ton of in-built rules, which can be found in /etc/snort/rules.
Take a look at them to see how they are written!
(Example: cat etc/snort/rules/ftp.rules)

MODULE CHALLENGE
If you think you’re ready for the module challenge, head over to the website
and click on the ‘Challenge Brief’ under the Intrusion Detection Systems
module!
Good luck.