IDS Fundamentals — Cyber Security 101-Security Solutions -TryHackMe Walkthrough

Learn the fundamentals of IDS, along with the experience of working with Snort.

Room URL: https://tryhackme.com/r/room/idsfundamentals

Task 1 What Is an IDS

In the previous room, Intro to Firewalls, we studied the role of a firewall, a security solution usually deployed on the boundary of a network to protect its incoming and outgoing traffic. The firewall checks the traffic when a connection is going to take place and denies it if it violates the firewall rules. However, there should be some security to detect the activities of the connection that passed through the firewall and have already taken place. So, if an attacker successfully bypasses a firewall via a legitimate-looking connection and then performs any malicious activities inside the network, there should be something to detect it timely. For this purpose, we have a security solution inside the network. This solution is known as an Intrusion Detection System (IDS).

Think of an example of a building’s security. A firewall acts as the gatekeeper, checking the people coming in and going out. There is always a chance that some bad actor will successfully sneak inside and start performing malicious activities. He was missed at the gate, but what if we catch him even after he gets in? This can be done by the surveillance cameras present throughout the building. The IDS plays the role of surveillance cameras. It sits in a corner, monitors the network traffic based on its signature and anomaly-based detections, and detects any abnormal traffic going out or inside the network. Upon every detection, an alert is generated for the security administrators. IDS does not act on those detections; it only notifies the security administrators about the malicious activity.

This room will equip you with sound knowledge of IDS solutions. In the upcoming tasks, we will also explore the most popular open-source IDS solution.

Learning Objectives

• Types of IDS and their detection capabilities
• Working of Snort IDS
• Default and custom rules in Snort IDS
• Making a custom rule in Snort IDS

Answer the questions below

1. Can an intrusion detection system (IDS) prevent the threat after it detects it? Yea/Nay

An Intrusion Detection System (IDS) is designed to detect and alert on suspicious or malicious activities within a network but does not actively prevent or stop these threats. It is a passive monitoring tool, unlike an Intrusion Prevention System (IPS), which can take action to block detected threats.

Answer: Nay

Task 2 Types of IDS

IDS can be categorized differently depending on certain factors. An IDS’s main categorization depends on its deployment and detection modes.

Deployment Modes

IDS can be deployed in the following ways:

• Host Intrusion Detection System (HIDS): Host-based IDS solutions are installed individually on the hosts and are responsible for only detecting potential security threats associated with that particular host. They provide detailed visibility of the host’s activities. However, host intrusion detection systems can be challenging to manage in large networks as they are resource-intensive and require management on each host.
• Network Intrusion Detection System (NIDS): Network-based IDS solutions are crucial in detecting potentially malicious activities within the whole network, regardless of any specific hosts. They monitor the network traffic of all the hosts involved to detect suspicious activities. It provides a centralized view of all the detections inside the whole network.

Detection Modes

• Signature-Based IDS: Many attacks occur every day. Each attack has its unique pattern, which is known as a signature. These signatures are preserved by the IDS in their databases so that if the same attack happens in the future, it gets detected by its signature and reported to the security administrators for action. The stronger the signature database of the IDS is, the more efficiently it would detect known threats. However, the signature-based IDS is unable to detect zero-day attacks. Zero-day attacks have no prior signatures (patterns) and are not saved inside the IDS databases. Therefore, the signature-based IDS can only detect the attacks that happened previously, and its signatures (patterns) are saved inside the database. In the upcoming tasks, we will explore a signature-based IDS named Snort.
• Anomaly-Based IDS: This type of IDS first learns the normal behavior (baseline) of the network or system and performs detections if there is any deviation from the normal behavior. Anomaly-based IDS can also detect zero-day attacks because they don’t rely on the available signatures for the detections but detect abnormalities inside the network or system by comparing the current state with the normal behavior (baseline). However, this type of IDS may generate a lot of false positives (marking benign activities as malicious) because the nature of most legitimate programs matches the malicious ones. Anomaly-based IDS would mark them malicious and believe anything behaving unusually is malicious. We can also reduce the false positives generated by anomaly-based IDS by fine-tuning it (manually defining the normal behavior in the IDS).
• Hybrid IDS: A hybrid IDS combines the detection methods of signature-based IDS and anomaly-based IDS to leverage the strengths of each approach. Some known threats may already have some signatures in the IDS database; in this case, the hybrid IDS would use the detection technique of the signature-based IDS. If it encounters a new threat, it can leverage the detection method of anomaly-based IDS.

Signature-based IDS can detect threats quickly, while other IDS can have a high processing overhead. However, it is also essential to consider the IDS based on several different factors. Signature-based IDS can be a good option for covering a small threat surface. Anomaly-based IDS and hybrid IDS can help detect modern zero-day attacks, which are increasing daily and can cause massive damage to organizations.

Answer the questions below

2.1 Which type of IDS is deployed to detect threats throughout the network?

Network Intrusion Detection System (NIDS): Imagine you have a network, which is a system connecting many computers together. A NIDS is like a security guard watching the entire network to see if anything suspicious happens. Instead of watching just one computer, it monitors all the computers in the network together. So, if there’s any unusual or harmful activity, it can alert the security team. This type of IDS is specifically designed to detect threats across the whole network, not just a single computer.

Answer: Network Intrusion Detection System

2.2 Which IDS leverages both signature-based and anomaly-based detection techniques?

Hybrid IDS: There are two main ways for an IDS to detect threats: it can either look for known patterns of attacks (like recognizing a face it’s seen before) or it can look for unusual behavior (like noticing if someone acts strangely even if they’re not on any “wanted list”). A Hybrid IDS combines both methods. It uses a list of known attack patterns and also watches for unusual behavior that might indicate a new type of attack. This combination helps it catch both familiar and new threats.

Answer: Hybrid IDS

Task 3 IDS Example: Snort

Snort is one of the most widely used open-source IDS solutions developed in 1998. It uses signature-based and anomaly-based detections to identify known threats. These are defined in the rule files of the Snort tool. Several built-in rule files come pre-installed in this tool’s package. These built-in rule files contain a variety of known attack patterns. Snort’s built-in rules can detect a lot of malicious traffic for you. However, you can configure Snort to detect specific types of network traffic that are not covered by the default rule files. You can create custom rules based on your requirements to detect specific traffic. You can also disable any built-in detection rules if they don’t point to harmful traffic for your system or network and define some custom rules instead. In the upcoming task, we will explore the built-in rules and make custom rules to detect specific traffic.

Modes of Snort

The most relevant use of Snort as an IDS comes from its NIDS mode. However, Snort can be used in any of the above modes depending upon the requirement.

Answer the questions below

3.1 Which mode of Snort helps us to log the network traffic in a PCAP file?

Packet Logging Mode helps us log the network traffic in a PCAP file. This mode captures all network data in a standard format that can be analyzed later, which is particularly useful for forensic investigations to understand past network activity and attacks.

Answer: Packet Logging Mode

3.2 What is the primary mode of Snort called?

The primary mode of Snort is called Network Intrusion Detection System (NIDS) Mode. This mode actively monitors network traffic in real-time and uses rules to detect suspicious patterns, alerting security teams when a potential threat is found. This is the main mode that makes Snort effective as an Intrusion Detection System (IDS).

Answer: Network Intrusion Detection System mode

Task 4 Snort Usage

During Snort installation, you must provide your network interface and range. You can run Snort normally, where it only captures the traffic intended for your host. However, if you want to use Snort to capture and detect intrusions in your whole network, you must turn on the promiscuous mode of your host’s network interface.

First, let’s start the Virtual Machine by pressing the Start Machine button given below. The machine will start in split view. In case the VM is not visible, use the blue Show Split View button at the top of the page.

Snort has some built-in rule files, a configuration file, and other files. These are stored in the /etc/snort directory. The key file for Snort is its configuration file snort.conf, where you can specify which rule files to enable and which network range to monitor and enable other settings. The rule files are stored in the rules folder. Let's use the ls command to list down all the files and folders present in Snort's main directory:

Snort Directory

ubuntu@tryhackme:~$ ls /etc/snort
classification.config  reference.config  snort.debian.conf
community-sid-msg.map  rules             threshold.conf
gen-msg.map            snort.conf        unicode.map

Rule Format

Now, let’s discuss how rules are created in Snort. There is a specific way of writing the rules. Following is a sample rule that would detect ICMP packets (usually used when you ping a host) coming from any IP address and port and reaching the home network (the network range is defined in Snort’s configuration file) to any port. Once such traffic is detected, it generates “Ping Detected” alerts.

The details of the components involved in this rule are given below:

• Action: This specifies which action to take when the rule triggers. In this case, we have the action to “alert” when the traffic matches this rule.
• Protocol: This refers to the protocol that matches this rule. In this case, we use the protocol “ICMP,” which is used when we ping a host.
• Source IP: This determines the IP from which the traffic is originating. Since we want to detect traffic from any source IP, we set this as “any”.
• Source port: This determines the port from which the traffic is originating. Since we want to detect traffic from any source port, we set this as “any”.
• Destination IP: This specifies the destination IP to which the matching traffic comes; it generates the alert. In this case, we used “$HOME_NET”. This is a variable, and we defined its value as our whole network’s range in the Snort’s configuration file.
• Destination port: This specifies the port the traffic would reach. As we want to detect traffic coming to any port, we set it as “any”.
• Rule metadata: Every rule has some metadata. That is defined at the end of the rule in parentheses. The following are its components:
• Message (msg): This describes the message to be displayed when the subject rule triggers. The message should indicate the type of activity detected. In this case, we used “Ping Detected”.
• Signature ID (sid): Every rule has a unique identifier that differentiates it from the other rules. This identifier is called the signature ID (sid). In this case, we set the sid to “10001”.
• Rule revision (rev): This sets the revision number of the rule. Every time the rule is modified, its revision number is incremented. This helps in tracking the changes to any rule.

Rule Creation

Let’s paste the sample rule explained above into the custom “local.rules” file in the Snort rules directory.

Firstly, open the “local.rules” file in a text editor:

Edit Custom Rule File

ubuntu@tryhackme:~$ sudo nano /etc/snort/rules/local.rules

Now, add the following rule after the already present rules to the file:

alert icmp any any -> 127.0.0.1 any (msg:"Loopback Ping Detected"; sid:10003; rev:1;)

Note: We will need the other already present rules in the next task, so do not delete them.

Once you successfully edit the file, press “ctrl+x” and it will ask you to press “y” if you want to save the changes. Press “y” to save the changes.

Rule Testing

Let’s first start the snort tool to detect any intrusions defined in the rule file. For this, we have to execute the following command with sudo privileges in our console:

Running Snort for Detections

ubuntu@tryhackme:~$ sudo snort -q -l /var/log/snort -i lo -A console -c /etc/snort/snort.conf

Note: In case your loopback interface is not called “lo”, replace it with the correct interface name.

As this rule is designed to alert us on any ICMP packets to our loopback address, let’s try to ping our loopback address to see if our rule works:

Ping Host

ubuntu@tryhackme:~$ ping 127.0.0.1

The screenshot below shows the Snort-generated “Loopback Ping Detected” alert when we ping our host’s loopback IP. This means that our rule is working fine.

Running Snort for Detections

ubuntu@tryhackme:~$ sudo snort -q -l /var/log/snort -i lo -A console -c /etc/snort/snort.conf
07/24-10:46:52.401504  [**] [1:1000001:1] Loopback Ping Detected [**] [Priority: 0] {ICMP} 127.0.0.1 -> 127.0.0.1
07/24-10:46:53.406552  [**] [1:1000001:1] Loopback Ping Detected [**] [Priority: 0] {ICMP} 127.0.0.1 -> 127.0.0.1
07/24-10:46:54.410544  [**] [1:1000001:1] Loopback Ping Detected [**] [Priority: 0] {ICMP} 127.0.0.1 -> 127.0.0.1

Running Snort on PCAP Files

We saw how Snort can be used for intrusion detection on real-time traffic. However, you may sometimes encounter a scenario where you have historical network traffic logged in a file, and you have to perform a forensic investigation to determine any signs of intrusion through that traffic. This traffic is usually logged in the standard packet capture format “PCAP”. Snort is also equipped to perform detections on these PCAP files containing historical network traffic.

The following command with sudo privilege can be used to perform this action:

Running Snort on PCAP

ubuntu@tryhackme:~$ sudo snort -q -l /var/log/snort -r Task.pcap -A console -c /etc/snort/snort.conf

Note: Replace the “Task.pcap” with the path to your PCAP file for analysis.

Answer the questions below

4.1 Where is the main directory of Snort that stores its files?

Snort’s Main Directory: The main folder where Snort keeps all its important files is located at /etc/snort. Think of this like the “home base” for Snort, where it stores rule files, configuration settings, and other necessary files it needs to run.

Answer: /etc/snort

4.2 Which field in the Snort rule indicates the revision number of the rule?

Revision Number Field in a Snort Rule: In every Snort rule, there’s a part called rev, which stands for “revision.” This number tells us which version of the rule we’re using. If someone updates or improves the rule, the revision number will go up, helping us keep track of changes and improvements.

Answer: rev

4.3 Which protocol is defined in the sample rule created in the task?

Protocol in the Sample Rule: In the sample rule, we see the word ICMP, which is a type of protocol. ICMP is commonly used for things like “ping” commands to check if a computer is online. In this case, the rule is looking out for ICMP traffic to alert us when it’s detected.

Answer:

4.4 What is the file name that contains custom rules for Snort?

File with Custom Snort Rules: The custom rules we create for Snort are saved in a file called local.rules. This file is like a custom list of specific things we want Snort to watch for in our network, separate from the standard rules that come with Snort.

Answer: local.rules

Task 5 Practical Lab

Exercise

Scenario: You are a third-party forensic investigator. A company contacts you to investigate a recent attack on their network. They handed over a PCAP file named “Intro_to_IDS.pcap”, which contained the network traffic captured during the attack. Your task is to run Snort on this PCAP file and answer the questions given in this task.

Note:The PCAP file Intro_to_IDS.pcap is placed in the /etc/snort/ directory. You have to change your directory to /etc/snort and run the PCAP analysis command on that new PCAP file the same way as we did in task 4.

Answer the questions below

Navigate to the Snort directory:

Open the terminal and change to the /etc/snort directory, where the PCAP file is located:

cd /etc/snort

Run Snort on the PCAP file:

Use Snort to analyze the “Intro_to_IDS.pcap” file, outputting the results to the console:

sudo snort -q -r Intro_to_IDS.pcap -A console -c /etc/snort/snort.conf

This command will tell Snort to read (-r) the PCAP file and display any alerts based on the existing Snort rules in the snort.conf configuration file.

Analyze the Output

5.1 What is the IP address of the machine that tried to connect to the subject machine using SSH?

IP Address of the SSH Connection Attempt:

The IP address 10.11.90.211 is the one that tried to connect to the target computer using SSH (a way to remotely access a computer securely). This tells us where the attempt to access the network was coming from.

Answer: 10.11.90.211

5.2 What other rule message besides the SSH message is detected in the PCAP file?

Other Message Detected:

Besides the SSH connection alert, there was another message, “Ping Detected.” A ping is a type of message sent to check if another computer is reachable on the network. So, this alert means that someone was also trying to see if the target computer was responding.

Answer: Ping Detected

5.3 What is the sid of the rule that detects SSH?

SID (Signature ID) of the SSH Rule:

In Snort, each rule has a unique identifier called the SID, which helps us know which rule caused the alert. For the SSH detection rule, the SID is 1000002. This helps us specifically identify and refer to this SSH-related rule in Snort’s configuration.

Answer: 1000002