InstructionsNIDS are the most popular tools for monitoring network traffic. There is clearly a fine line between raising alerts for every single packet or flow and raising alerts for highly...

Instructions

NIDS are the most popular tools for monitoring network traffic. There is clearly a fine line between raising alerts for every single packet or flow and raising alerts for highly specific traffic. This assignment wants to make you become acquainted withSuricata IDS. Perform the following:

• The first one is easy. Many viruses have specific signatures that can be seen either when they are being downloaded (e.g., http download exe file) or once they are installed they have specific communication patterns (specific payloads). While executables can be detected based on their hex or hash values, network patterns need specific hex signatures. Since most viruses already have a signatures which can be found online (not ideal for an assignment), your first task is to instead develop a policy signatures that detects HTTP png downloads. Your signatures msg (very important) should be: POLICY HTTP Portable network graphics downloaded. IMPORTANT: do NOT use filemagic (that would be too easy).




• Alright, let's look for something more realistic. Encoded binary files in HTTP downloads using Base64 encoding. In ex2.pcap there is a good example of this where the binary (encoded in Base64) is meant to be executed through PowerShell. Build a policy that alerts us whenever we see Base64 in HTTP inbound traffic. Signature msg should be: POLICY HTTP Base64 encoding detected. You will need perl compatible regular expressions for this one. Use an online regex test service while building your pattern.




• Create a Suricata alert that can detect an inbound port scan on port addresses below 1024. Use a suricata alert to detect a potential slow port scan (hint: you will need to use threshold: type threshold, track by_src...). Use the nmap.pcap to help you test (or the actual command from the terminal. The signature msg should be:SCAN nmap -sS.




• Alright, time for some Lua scripting. Remember those weird domain name requests in ex1.pcap that are the likely result of DGA. One way to detect such traffic (which would be wise) is through the use of
  
  
  
  
  Shannon's Entropy
  
  
  
  
  
  
  
  
  

• 
  
  
  
  
  
  
  
  Links to an external site.
  
  
  
  
  
  ). Signature msg should be: POLICY DNS Domain name request with entropy > 3 and at least 85% of max entropy. TIP: use print in lua to output different results as you are testing your patterns.

What to use for the assignment

You can utilize VirtualBox (or some other VM) to build your testing machines. Lab computers may be more appropriate if you load demanding machines. Useful distros include:

• SELKS:
  
  
  https://www.stamus-networks.com/open-source/#selks
  
  
  
  
  
  
  
  
  

• 
  
  
  
  
  
  
  
  Links to an external site.
  
  
  
  
  
  
  
  
  

SO is by far the most demanding requiring a min of 8GB if ELK stack is utilized. With SELKS, you can get away with 3GB. Kali is useful for pentests but many of these you can initiate from your host computer. If you do not have sudo access in the host machine check this guide if you need to build several tools from source:Installing with no sudo access

What to submit

• In your repository include the following files only:suricata.yaml, local.rules,processdns.lua,