Final IDS Report  

Date   

Student name 

 Final IDS Report

IDPS Concepts, Technologies, Applications, Strengths, and Weaknesses  

Intrusion detection and prevention systems (IDPS) is a combination of intrusion detection and  prevention that may be used to identify security policy problems, document existing threats, and to  deter individuals from violating security policies. Intrusion detection systems (IDS) monitor networks  system for malicious activity and or policy violation, and account for the behavior by logging the activity  with message alerts. Intrusion prevention systems (IPS) extends its capabilities by actively reconfiguring  network devices to block or drop network connectivity.  

IDPS Technologies  

Common IDPS technologies that may be deployed to monitor network traffic include network-based,  wireless, network behavior analysis (NBA), and host-based. Network-based technologies monitors traffic  flowing from specific devices or selected network segments of interest. They provide intrusion  detection/prevention adequately for traffic moving across the network, but may not be aware of  malicious activity that transpire on a host system.  

Wireless technologies monitor wireless network activity associated with standard wireless protocols. It  is beneficial with monitoring protocols in the network layer and below, but cannot be of any service with  protocols above the network layer.  

NBA operate on the principle of creating a baseline for normal network traffic which would later be used  to compare and look for unusual traffic. Anomalies that deviate from the baseline traffic are flagged,  accounted for in logs and possibly dropped to prevent further network traffic. Benign traffic on the  other hand that do not match baseline traffic may be identified and prevented as well, mistaking it for  malicious traffic. Additional tuning may be required infrequently to account for drastic changes in  network traffic.  

Host-based technologies narrows down on specific, individual information systems (IS) for monitoring.  Malevolent activities occurring on host systems are identified, whereas the same events that could  happen throughout the network or IS external of the host would not be recognized.  

IDPS Methodologies  

Detection methodologies that IDPS uses are classified as signature-based, anomaly-based detection and  stateful protocol analysis. Signature-based detection captures previously observed malicious patterns to  help identify and compare the same type of activity that may be prevalent on other systems. Anomaly based detection establishes a baseline foundation by heuristically monitoring the network for what is  perceived as normal activity. Other traffic that deviates from the learned behavior is identified as  suspicious activity. Stateful protocol analysis uses vendor-developed universal profiles to define which  stateful protocols are considered acceptable. A TCP SYN scan by Nmap could possibly be flagged  because it does not complete the three-way handshake as a stateful protocol usually does. 

Malware Detection  

Research was conducted to replay a malicious file infecting a host system in real time. 2021-02-24  QAKBOT (QBOT) Infection with Spambot Traffic was selected, with Security Onion’s logs and network  diagnostic tools being utilized to detect the malware and capture events generated by the malicious file.  Sguil logged and identified that a “policy PE EXE or DLL Windows file download” had occurred from a  source IP of 128.199.91.194:80 to destination IP 10.2.21.101:49725 (fig.1).  

Figure 1. Sguil Logs a Policy Violation/Custom Configured Rule  

The custom rule that was configured to trigger alert was “alert tcp $EXTERNAL_Net $HTTP_PORTS ->  $HOME_NET any (msg:”ET POLICY PE EXE or DLL Windows file download HTTP”;  flow:established,to_client; flowbits:isnotset, ET.http.binary;flowbits:isnotset,ET.INFO.WindowsUpdate;  file_data; content:”MZ”; withing:2; byte_jump:4,58,relative,little; content:”PE|00 00|”; distance:-64;  within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2018959;  classtype:policy-violation; sid: 2018959; rev:4; metadata:created_at 2014_08_19, former_category  POLICY, updated_at 2017_02_01;) /nsm/server_data/securityonion/rules/ip-10-0-0-106-eth0- 1/downloaded.rules: Line 14255” (Fig. 1). A further review from a log in Squert showed that the source  IP 128.199.91.194 originated from the United Kingdom (Fig. 2) Skillful hackers tend to cover their tracks  by using IP spoofing or pivoting from other compromised nodes. This could give reason to believe that 

this could possibly be a command and control node or a node set up as a repository for infecting host  systems.  

Figure 2. Squert traces IP to the United Kingdom.  

Other tools such as NetworkMiner was used to investigate this activity. It was capable of capturing the  name of the file that was downloaded, the path, hash and size (Fig. 3). Once the file hash or virus file has  been identified, website repositories that have signatures of known malicious files can be used to gather  further data on the suspicious file. PCAPs are another way of viewing data that is passed on the network.  Kibana captured the IP and logged the event under “All Logs” (Fig. 4), with a hyperlink to the PCAP. The  PCAP (Fig. 5) further validated what the other tools had already displayed.  

Figure 3. NetworkMiner displays information about the downloaded file.  

Figure 4. Kibana Logs Source IP of Malicious Activity. 

Figure 5. PCAP on Malicious Activity.  

IDPS and security networking tools are great for detecting a preventing leakage of proprietary  information. However threat actors have formulated work arounds to successfully smuggle data by the  use of encryption and secure protocols. Enterprises may configure proxies to decrypt out going traffic  and reencrypt it upon exiting the network, however specific equipment may be needed which could  consume a lot of resources and require more overhead.