- IDS - Intrusion detection system (splunk)
- IPS - Intrusion Protection System
hping - allows you to create your own packets
- Example: hping -s 192.168.1.1 p80
- Example: nmap -sS 192.168.1.1 p80
- Fragmentation attack
- Example: hping -f 192.168.1.1 p80
- For large payloads it is better to fragment it
- Example: hping -f 192.168.1.1 -E /var/evil.exe #note optionally you could specify -p80
- We will create a text file and then send the text files
- Example: hping -f 192.168.1.1 -p80 -d10 #specify a size of 10 bytes
snort - included in onion
- snort getting started
- Does both IDS and IPS
- Free version is a month behind with rules
- Paid version gets new rules immediately
- Snort can be added to an opensource firewall like PFSense
- setting up the environment
- Setting up rules, each rule change requires a restart of snort
suricata - Suricata is a free and open source, fast and robust network threat detection engine.
Static or dynamic IP
4 or 8 GB Ram
Evaluation or Production
You can check the status of your running services with the sostat utilites:
'sudo sostat' will give you DETAILED information about your service status.
'sudo sostat-quick' will give you a guided tour of the sostat output.
'sudo sostat-redacted' will give you REDACTED information to share with our mailing list if you have questions.
Filter ping reply, but only if the request/reply has a payload with my name in it.
Rules can be:
one direction, ->
Both directions, <>
'alert TCP $HOME 126.96.36.199 80 -> 192.168.1.1 80 (options)'
To fix snort local rules:
vi /etc/nsm/pulledpork/pulledpork.conf remove "local.rules" from the line ignore=deleted.rules...
snort rules review
content: "david" look for david
"david|sam" david or sam
"|binary|" convert to binary
NIDS = Network based intrusion detection system, looks at packets (network defense)
HIDS = Host based intrusion detection systems, detects changes on the system configuration or filesystem
can do it on registry keys,
Know the location of files we modified in security onion
Single host verses a network
Use as a decoy, monitor for attack activity.
For Ecommerce, if detecting traffic from a bot like Amazon, redirect to shadow site with higher prices for the bot to travel.
A honeypot can be set to record all the user interactions.