16. Develop and tune an IDS sensor for an operational environment

Introduction

Intrusion detection is one of the modern ways of finding Indicators of Compromise; a must for any sized enterprise in order to determine if your network is safe and secure. IDS, also known as Intrusion Detection System(s), are mostly based on network traffic(NIDS) and host-based traffic(HIDS). The important difference is that a HIDS usually monitors log files, while a NIDS monitors traffic.

Suricata

This semester I wanted to learn more about Suricata alerts, and how to write my own so that’s what I did for my group assignment. The context of this is a Red v. Blue CTF-type game, and I wrote Suricata rules to trigger ‘fake’ alerts from appearing on our SoC. In the alerts, I hid flags using metadata, and, other enrichment data.

Custom rules

# Flag 1
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"Alert Possible SQL Injection Attack"; flow:established,to_server; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:13; metadata:affected_product flag_1_partial_1={RDMk}, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)

# Flag 2
alert http any any -> any any (msg:"High Alert XSS attack deteced on Train entrance system(s)"; reference:url,172.16.1.15:5002/vulnerabilities/xss_s; content:"vulnerabilities/xss_s";metadata:former_category flag_2_partial_1={0pr};sid:5;)

# Flag 3
alert http any any -> any any (msg:"Suricata: Alert - CSRF attack deteced on Train Communication system(s)"; reference:url,172.16.1.15/adminpanel/index.html; content:"adminpanel/index.html"; http_uri; sid:50;)


# Flag 4
alert http any any -> any any (msg:"Web Application Firewall Alert(s): Weak ID detected on Railway Systems"; metadata: former_category flag_4_partial_1={Fm1A}; reference:url,172.16.15:5004/vulnerabilities/weak_id; content:"vulnerabilities/weak_id"; http_uri; sid:500;)

# Flag 5
alert http any any -> any any (msg:"HIGH ALERT: Malicious Javascript Injection detected on Train Acceleration systems"; metadata: former_catergory flag_5_partial_1={U25}; reference:url,"172.16.15:5005/vulnerabilities/javascript"; content:"vulnerabilities/javascript"; http_uri; sid:5000;)

#Flag 6
alert http any any -> any any (msg:"EXTREMELY CRITICAL ALERT: Command Injection detection on Collision Systems"; reference:url,172.16.15:5006/vulnerabilities/exec; content:"vulnerabilities/exec"; metadata: by flag_6_partial_1={RuR}, filename base64(d2VfYXJlX2xlZ2lvbl9mbGFnXzZfcGFydGlhbF8yPXtYQTR9); reference:url,www.base64.com; classtype:command-injection; priority: 12; http_uri; sid: 50000;)

These are the rules I wrote for our group assignment, in them are the various starting portions of the flag that blue teamers need to acquire. How did I make this? See the screenshot below

1. Terminal 1: This is the file for the actual rule, located in:

vi /etc/suricata/rules/local.rules

2. Terminal 2: This terminal I use to test if the rule was getting triggered or not, by using curl I could trigger many of my own alerts.

3. Terminal 3: This is the crontab used to periodically trigger one of the alerts.

crontab -e

4. Terminal 4: This terminal tails the suricata alert file to see if the rule was succesfully triggered.

tail -f /var/log/suricata/fast.log

To get an idea of how a rule should look like, I triggered actual Suricata rules and inspected the headers, metadata, etc. and made a copy and adjusted it to my own needs.