Cyber Tools - Defense

  • IDS - Intrusion detection system (splunk)
  • IPS - Intrusion Protection System 

hping - allows you to create your own packets

  • Example: hping -s p80
  • Example: nmap -sS p80
  • Fragmentation attack
  • Example: hping -f p80
  • For large payloads it is better to fragment it
  • Example: hping -f -E /var/evil.exe  #note optionally you could specify -p80
  • We will create a text file and then send the text files
  • Example: hping -f -p80  -d10 #specify a size of 10 bytes 

snort - included in onion

  • snort getting started
  • Does both IDS and IPS
  • Free version is a month behind with rules
  • Paid version gets new rules immediately
  • Snort can be added to an opensource firewall like PFSense
  • setting up the environment
  • Setting up rules, each rule change requires a restart of snort

suricata - Suricata is a free and open source, fast and robust network threat detection engine.

Setup Onion

Static or dynamic IP

4 or 8 GB Ram

Evaluation or Production 


You can check the status of your running services with the sostat utilites:
 'sudo sostat' will give you DETAILED information about your service status.
 'sudo sostat-quick' will give you a guided tour of the sostat output.
 'sudo sostat-redacted' will give you REDACTED information to share with our mailing list if you have questions.



Filter ping reply, but only if the request/reply has a payload with my name in it.

Rules can be:

one direction, ->

Both directions,  <>

'alert TCP $HOME 80 -> 80 (options)'

To fix snort local rules:

vi /etc/nsm/pulledpork/pulledpork.conf  remove "local.rules" from the line ignore=deleted.rules...

snort rules review

content: "david" look for david

"david|sam"  david or sam

"|binary|"  convert to binary

"|binary|or binary|"


NIDS = Network based intrusion detection system, looks at packets (network defense)

HIDS = Host based intrusion detection systems, detects changes on the system configuration or filesystem

can do it on registry keys, 


Know the location of files we modified in security onion


Comparing Honeypots and Honeynets

Single host verses a network

Use as a decoy, monitor for attack activity.

For Ecommerce, if detecting traffic from a bot like Amazon, redirect to shadow site with higher prices for the bot to travel.

A honeypot can be set to record all the user interactions.

T-Pot: A Multi-Honeypot Platform - DTAG Community Honeypot Project