We covered an introduction to intrusion detection & prevention systems, operating & deployment modes such as the inline mode, the difference between IDS & IPS as well as the difference between network-based IDS and host-based IDS. We also covered examples such as Snort and Wazuh IDS and sample rules. Lastly we covered methods and techniques on how to bypass and evade intrusion detection system such as protocol manipulation and payload modification. This was part of TryHackMe Network Security Solutions red team pathway.
HighLights
An Intrusion Detection System (IDS) is a system that detects network or system intrusions. One analogy that comes to mind is a guard watching live feeds from different security cameras. He can spot a theft, but he cannot stop it by himself. However, if this guard can contact another guard and ask them to stop the robber, detection turns into prevention. An Intrusion Detection and Prevention System (IDPS) or simply Intrusion Prevention System (IPS) is a system that can detect and prevent intrusions.
Understanding the difference between detection and prevention is essential. Snort is a network intrusion detection and intrusion prevention system. Consequently, Snort can be set up as an IDS or an IPS. For Snort to function as an IPS, it needs some mechanism to block (drop) offending connections. This capability requires Snort to be set up as inline and to bridge two or more network cards.
IDS setups can be divided based on their location in the network into:
- Host-based IDS (HIDS)
- Network-based IDS (NIDS)
The host-based IDS (HIDS) is installed on an OS along with the other running applications. This setup will give the HIDS the ability to monitor the traffic going in and out of the host; moreover, it can monitor the processes running on the host.
The network-based IDS (NIDS) is a dedicated appliance or server to monitor the network traffic. The NIDS should be connected so that it can monitor all the network traffic of the network or VLANs we want to protect. This can be achieved by connecting the NIDS to a monitor port on the switch. The NIDS will process the network traffic to detect malicious traffic.
We can classify network traffic into:
- Benign traffic: This is the usual traffic that we expect to have and don’t want the IDS to alert us about.
- Malicious traffic: This is abnormal traffic that we don’t expect to see under normal conditions and consequently want the IDS to detect it.
In the same way that we can classify network traffic, we can also classify host activity. The IDS detection engine is either built around detecting malicious traffic and activity or around recognizing normal traffic and activity. Recognizing “normal” makes it easy to detect any deviation from normal.
Consequently, the detection engine of an IDS can be:
- Signature-based: A signature-based IDS requires full knowledge of malicious (or unwanted) traffic. In other words, we need to explicitly feed the signature-based detection engine the characteristics of malicious traffic. Teaching the IDS about malicious traffic can be achieved using explicit rules to match against.
- Anomaly-based: This requires the IDS to have knowledge of what regular traffic looks like. In other words, we need to “teach” the IDS what normal is so that it can recognize what is not normal. Teaching the IDS about normal traffic, i.e., baseline traffic can be achieved using machine learning or manual rules.
Put in another way, signature-based IDS recognizes malicious traffic, so everything that is not malicious is considered benign (normal). This approach is commonly found in anti-virus software, which has a database of known virus signatures. Anything that matches a signature is detected as a virus.
An anomaly-based IDS recognizes normal traffic, so anything that deviates from normal is considered malicious. This approach is more similar to how human beings perceive things; you have certain expectations for speed, performance, and responsiveness when you start your web browser. In other words, you know what “normal” is for your browser. If suddenly you notice that your web browser is too sluggish or unresponsive, you will know that something is wrong. In other words, you knew it when your browser’s performance deviated from normal.
Room Answers
What do you call a system that can detect malicious activity but not stop it?
What kind of IDS engine needs to learn what normal traffic looks like instead of malicious traffic?
What kind of IDS engine needs to be updated constantly as new malicious packets and activities are discovered?
10.10.112.168. What is the IP address running the port scan?We use the following Nmap command, nmap -sU -F MACHINE_IP, to launch a UDP scan against our target. What is the option we need to add to set the source port to 161?
The target allows Telnet traffic. Using ncat, how do we set a listener on the Telnet port?
We are scanning our target using nmap -sS -F MACHINE_IP. We want to fragment the IP packets used in our Nmap scan so that the data size does not exceed 16 bytes. What is the option that we need to add?
Start the AttackBox and the attached machine. Consider the following three types of Nmap scans:
-sXfor Xmas Scan-sFfor FIN Scan-sNfor Null Scan
Which of the above three arguments would return meaningful results when scanning MACHINE_IP?
What is the option in hping3 to set a custom TCP window size?
Using base64 encoding, what is the transformation of cat /etc/passwd?
The base32 encoding of a particular string is NZRWC5BAFVWCAOBQHAYAU===. What is the original string?
Using the provided openssl command above. You created a certificate, which we gave the extension .crt, and a private key, which we gave the extension .key. What is the first line in the certificate file?
What is the last line in the private key file?
On the attached machine from the previous task, browse to http://MACHINE_IP:8080, where you can write your Linux commands. Note that no output will be returned. A command like ncat -lvnp 1234 -e /bin/bash will create a bind shell that you can connect to it from the AttackBox using ncat MACHINE_IP 1234; however, some IPS is filtering out the command we are submitting on the form. Using one of the techniques mentioned in this task, try to adapt the command typed in the form to run properly. Once you connect to the bind shell using ncat MACHINE_IP 1234, find the user’s name.
Which variable would you modify to add a random sleep time between beacon check-ins?
