17 - Evading IDS, Firewalls, and Honeypots

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.

Module Objective

The objective of this lab is to help students learn and detect intrusions in a network, log, and view all log files. In this lab, you will learn how to:

  • Install and configure Snort IDS
  • Run Snort as a service
  • Log snort log files to Kiwi Syslog server
  • Store snort log files to two output sources simultaneously

Scenario

Due to a growing number of intrusions and since the Internet and local networks have become so ubiquitous, organizations increasingly implementing various systems that monitor IT security breaches. Intrusion detection systems (IDSes) are those that have recently gained a considerable amount of interest. An IDS is a defence system that detects hostile activities in a network. The key is then to detect and possibly prevent activities that may compromise system security, or a hacking attempt in progress including reconnaissance/data collection phases that involve, for example, port scans. One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. According to Amoroso, intrusion detection is a “process of identifying and responding to malicious activity targeted at computing and networking resources.” In addition, IDS tools are capable of distinguishing between insider attacks originating from inside the organization (coming from own employees or customers) and external ones (attacks and the threat posed by hackers) (Source: http://www.windowsecurity.com)

In order to become an expert penetration tester and security administrator, you must possess sound knowledge of network intrusion prevention system (IPSes), IDSes, malicious network activity, and log information.

I. Detecting Intrusions using Snort

The trade of the intrusion detection analyst is to find possible attacks against their network. The past few years have witnessed significant increases in DDoS attacks on the Internet, prompting network security to become a great concern. Analysts do this by IDS logs and packet captures while corroborating with firewall logs, known vulnerabilities, and general trending data from the Internet. The IDS attacks are becoming more cultured, automatically reasoning the attack scenarios in real time and categorizing those scenarios becomes a critical challenge. These result in huge amounts of data and from this data they must look for some kind of pattern. However, the overwhelming flows of events generated by IDS sensors make it hard for security administrators to uncover hidden attack plans.

In order to become an expert penetration tester and security administrator, you must possess sound knowledge of network IPSes, IDSes, malicious network activity, and log information.

Lab Objectives

The objective of this lab is to familiarize students with IPSes and IDSes.

In this lab, you need to:

  • Install Snort and verify Snort alerts
  • Configure and validate snort.conf file
  • Test the working of Snort by carrying out an attack test
  • Perform intrusion detection

Lab Analysis

In this lab, you have learnt to familiarize students with IPSes and IDSes. Analyze and document the results related to this lab exercise. Give your opinion on your target’s security posture and exposure.

II. Detecting Intruders and Worms Using KFSensor Honeypot IDS

Intrusion detection systems are designed to search network activity (we are considering both host and network IDS detection) for evidence of malicious abuse. When an IDS algorithm “detects” some sort of activity and the activity is not malicious or suspicious, this detection is known as a false positive. It is important to realize that from the IDS’s perspective, it is not doing anything incorrectly. Its algorithm is not making a mistake. The algorithm is just not perfect. IDS designers make many assumptions about how to detect network attacks.

An example assumption could be to look for extremely long URLs. Typically, a URL may be only 500 bytes long. Telling an IDS to look for URLs longer than 2000 bytes may indicate a denial of service attack. A false positive could result from some complex e-commerce websites that store a wide variety of information in the URL and exceed 2000 bytes.

In order to become an expert penetration tester and security administrator, you must possess sound knowledge of network intrusion prevention systems (IPSes), intrusion detection systems (IDSes), identify network malicious activity and log information, and stop or block malicious network activity.

Lab Objectives

The objective of this lab is to make students learn and understand IPSes and IDSes. In this lab, you need to:

  • Detect hackers and worms in a network
  • Provide network security

Lab Analysis

In this lab, you have learnt how to use encrypting/decrypting commands and generating hashes and checksum files. Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

Module Syllabus

  • Intrusion Detection Systems (IDS) and its Placement
  • How IDS Works?
  • Ways to Detect an Intrusion
  • Types of Intrusion Detection Systems
  • System Integrity Verifiers (SIV)
  • General Indications of Intrusions
  • General Indications of System Intrusions
  • Firewall
    • Firewall Architecture
  • DeMilitarized Zone (DMZ)
  • Types of Firewall
    • Packet Filtering Firewall
    • Circuit-Level Gateway Firewall
    • Application-Level Firewall
    • Stateful Multilayer Inspection Firewall
  • Firewall Identification
    • Port Scanning
    • Firewalking
    • Banner Grabbing
  • Honeypot
    • Types of Honeypots
  • How to Set Up a Honeypot?
  • Intrusion Detection Tool
    • Snort
    • Snort Rules
    • Rule Actions and IP Protocols
    • The Direction Operator and IP Addresses
    • Port Numbers
  • Intrusion Detection Systems: Tipping Point
    • Intrusion Detection Tools
  • Firewall: Sunbelt Personal Firewall
    • Firewalls
  • Honeypot Tools
    • KFSensor
    • SPECTER
  • Insertion Attack
  • Evasion
  • Denial-of-Service Attack (DoS)
  • Obfuscating
  • False Positive Generation
  • Session Splicing
  • Unicode Evasion Technique
  • Fragmentation Attack
  • Overlapping Fragments
  • Time-To-Live Attacks
  • Invalid RST Packets
  • Urgency Flag
  • Polymorphic Shellcode
  • ASCII Shellcode
  • Application-Layer Attacks
  • Desynchronization
  • Pre Connection SYN
  • Post Connection SYN
  • Other Types of Evasion
    • IP Address Spoofing
    • Attacking Session Token Generation Mechanism
    • Tiny Fragments
  • Bypass Blocked Sites Using IP Address in Place of URL
    • Bypass Blocked Sites Using Anonymous Website Surfing Sites
  • Bypass a Firewall using Proxy Server
    • Bypassing Firewall through ICMP Tunneling Method
    • Bypassing Firewall through ACK Tunneling Method
    • Bypassing Firewall through HTTP Tunneling Method
    • Bypassing Firewall through External Systems
    • Bypassing Firewall through MITM Attack
  • Detecting Honeypots
  • Honeypot Detecting Tool: Send-Safe Honeypot Hunter
  • Firewall Evasion Tools
    • Traffic IQ Professional
    • TCP-over-DNS
    • Firewall Evasion Tools
  • Packet Fragment Generators
  • Countermeasures
  • Firewall/IDS Penetration Testing
    • Firewall Penetration Testing
    • IDS Penetration Testing