IMPLEMENTATION AND DESIGN PFSENSE BASED

INTRUSION DETECTION AND PREVENTION SYSTEM

BY USING SURICATA

Submitted by:
Yasir Mehmood 2018-MSTN-8

Supervised by: Dr. Atif Hameed

Department of Electrical Engineering

University of Engineering and Technology Lahore
 IMPLEMENTATION AND DESIGN PFSENSE BASED
INTRUSION DETECTION AND PREVENTION
SYSTEM BY USING SURICATA

Submitted to the faculty of the Electrical Engineering Department

of the University of Engineering and Technology Lahore in partial fulfillment of
the requirements for the Degree of

Master of Science
In
Telecommunication Networks

Submitted by:
Yasir Mehmood 2018-MSTN-8

Research Supervisor Chairman

Dr. Atif Hameed Department of Electrical Engineering

Department of Electrical Engineering

University of Engineering and Technology Lahore
MAY, 2021
 Declaration
I declare that the work contained in this project is my own, except where explicitly
stated otherwise. In addition, this work has not been submitted to obtain another
degree or professional qualification.

Signed:

Date:
 Acknowledgments
Several individuals have helped me in making this project a reality. I would like to thank all
of them for extending their kindest support. First and foremost, I would like to express
special thanks and gratitude to my Project supervisor Dr. Atif Hameed who through his
timely guidance and sincere efforts made it possible for me to complete the Project. His
immense knowledge about the particular topic and the dedication to impart that knowledge
into his students has to be pivotal in the completion of this project.
 I dedicate this to my parents, wife and who had
kept me motivated throughout my M.Sc. Program and
sacrificed their emotions while I was busy in my studies.
 Chapter 1 Contents
List of Figures...............................................................................................................vi
Abstract..........................................................................................................................vii
1.1 Introduction.............................................................................................................1
1.1.1 Machines.........................................................................................................2
1.1.2 Operating System............................................................................................2
1.1.3 Software..........................................................................................................2
1.2 Problem Statement..................................................................................................3
1.3 Project Aims & Objectives......................................................................................3
1.4 Related Work..........................................................................................................4
1.5 Network Architecture..............................................................................................4
1.5.1 The signature Based Intrusion Detection System............................................4
1.5.2 Anomaly Based Intrusion Detection System...................................................5
1.5.3 Network-Based Intrusion Prevention System (NIPS)......................................5
1.5.4 Wireless Intrusion Prevention System (WIPS)................................................5
1.5.5 Network Behavior Analysis (NAB)................................................................6
1.5.6 Host-Based Intrusion Prevention System (HIPS)...........................................6
1.6 PFsense....................................................................................................................6
1.7 Suricata Intrusion Detection System........................................................................7
 Packet Acquisition...................................................................................................8
 Decode and Stream Application Layer....................................................................8
 Detection.................................................................................................................8
 Output.....................................................................................................................9
1.8 Intrusion Prevention System using Suricata..........................................................17
1.9 Results...................................................................................................................20
1.10 Summary...............................................................................................................21
References:.......................................................................................................................22
List of Figures
Figure-1: Block Diagram..............................................................................................................3
Figure-2: PFsense and Suricata security infrastructure..................................................................7
Figure -3:Suricata Packet Capture and Detection..........................................................................9
Figure-4: Installation Window....................................................................................................10
Figure-5: PFsense Login Screen..................................................................................................11
Figure-6: System Settings...........................................................................................................12
Figure-7: DHCP configuration....................................................................................................13
Figure-8: WAN Interface............................................................................................................13
 Abstract
This report covers details related to the design, implementation, and functionality of an IDS
that has been developed by the author of this report as a final year project that was a
mandatory requirement for their degree program. Since the author selected Suricata as a
mainstay for their IDS, therefore the report contains details regarding the reasons that
support this design. Also, the report considers the technical features of Suricata and
supporting platforms i.e., PFsense. Moreover, the report also takes a brief yet comprehensive
look at the previously conducted relevant work in this domain, as well as describes the
modern-day intrusion detection and prevention systems. To emphasize the work done
throughout the project, the report also contains screen-snippets to serve as a guideline for the
aspirants who want to materialize this particular project for their own needs. All in all, this
report follows a thorough approach to discuss the components of this project and forms a
theoretical foundation to base the practical work that has been conducted during this project.

Chapter 1
Introduction
1.1 Introduction
The world has seen rapid growth in terms of technology and computer networks during the
twenty-first century, and most people denote the current era as the era of technology and
communication. Although these advancements have revolutionized the way we
communicate, they have also opened new fronts to ensure safety and security. This is
essential for safe transmission of data across the internet to secure the transmission lines and
nodes which is a vital aspect of network security and management; thus, we can ensure
trustworthy and safe communication throughout the network. Cloud computing is one of the
fastest-growing sectors of computer science. This specific field deals with the shared
networks in IT (Information Technology) and computer resources for users. Despite many
developments in technology in network security, over the past few decades, the Internet
remains a hostile environment for networked computer systems. However, such rapid
growth in terms of technology and computer networks can also bring a variety of security
flaws and concerns that further lead towards massive loss, not only to a home user but also to
organizational assets by unauthorized access of data packets and network transmission lines
which can be effectively resolved using a system like Suricata [1], [2].
Previously, only cybersecurity experts and top-notch intruders knew the methods to break
into a system; however, technology breakdown has now enabled any person to sneak into
any system by tricking the firewall. To prevent such security intrusion threats, there are two
kinds of intrusion systems such as intrusion detection system (IDS) and intrusion prevention
systems (IPS). Suricata is a network threat detection system that provides capabilities of
intrusion detection, intrusion prevention, and network security monitoring. Suricata deeply
observes the packet exchange between transmission lines, and It employs deep packet
inspection and pattern matching techniques that make it exceptionally useful for network
security monitoring scenarios, as well as an IDS (intrusion detection System) and IPS
(intrusion prevention system). During the past twenty years, several companies have
launched network security and intrusion detection systems to achieve goals such as integrity,
confidentiality, and availability. [1], [3]
The world is now shifting towards multi-thread processors that have enabled the
development of multi-threaded software application design. Suricata follows a similar design
element, and it is a multithreaded network intrusion detection and prevention system. The
network monitoring and intrusion detection systems have become an essential component of
organizational network infrastructure incite of a growing number of cyber-attacks and
network intrusions across the globe. Intrusion detection is a process of detecting any sort of
malicious activity on networks that are mainly caused by unauthorized access to the system.
IDSs deeply monitor and analyse the ongoing network traffic and look for security breaches
in the existing dataset and incoming/outgoing data-files to negate the possibility of a hacker
to sneak into the system. As an IDS, Suricata detects the intrusion in the system with the help
of rulesets. Those rules-sets are predefined in Suricata-rules and can be modified by the
system administrator. Suricata uses a PFsense firewall which is used to create a dedicated
firewall for a network, moreover; PFsense creates and maintains a logbook of traffic on the
network which makes it a reliable tool to monitor communication between network nodes.
This project consists of several software tools and applications as stated below [4], [5]:
1.1.1 Machines
VMware (Virtual Machine-ware) is a software-based emulation tool that provides the
architecture and functionality of a dedicated physical computer on shared resources from its
host platform [6].
1.1.2 Operating System
Windows OS 8 (64 Bit version)
1.1.3 Software
PFsense Firewall ISO is installed on a virtual machine or a physical computer to make a
dedicated firewall for a network that also features unified threat management, load
balancing, and Multi-WAN.
If summarized, this project would enable us to identify and monitor real-time intrusion
moreover we would be able to manage traffic logs more efficiently. This project would
further enable safe and secure communication between network nodes providing a threat-
proof environment to boose efficiency in network traffic analysis. A key feature of Suricata
is that it enables the network administrator to balance the IDS-workload according to the
processing requirements at different locations within a network. Previously, the intrusion
systems used statical anomaly detection, host systems to detect, user profiles, and signatures.
Which used a rule-based expert system to detect known types of intrusion based on user
profiles, the host system, and the target system. This kind of system is limited to the
detection of a threat, with no prevention systems available. Firewalls can process the packets
very quickly; however, their response relies upon the port-address or IP address with no deep
packet inspection system. If described otherwise, firewalls have no visibility into packet
content and the context of traffic. Nevertheless, Suricata offers deep packet inspection and its
ability to analyse the events occurring inside the network allows it to provide a fool-proof
network security solution against cyberattacks [4], [7].
 F
igure-1: Block Diagram
For this project, a virtual environment would be installed on VMware to replicate a PC that
would serve the role of an attacker within a wide area network (WAN PC). Another
environment would be created on a virtual machine using Windows as an operating system
that would act like a victim on the Local area network (LAN PC). The attacker would
remotely access the LAN PC and would generate a threat for the victim’s computer against a
single IP address. The user (network administrator in this context) would set some rules
against the data package. These predefined rules (as set by the user) in the Suricata package
against different ports such as telnet, FTP, and HTTP would deny access against the single
IP address to prevents the threat [4], [8].

1.2 Problem Statement

Typically, Intrusion detection systems are difficult to implement on a network and since they
are designed to cater to the requirement of a specific environment and system; therefore,
such systems are not well-suited to all kinds of situations and scenarios. With the increased
traffic volume and complexity of networks, the number of cyber-attacks is escalating.
Therefore, the processing power of single thread and signature-based systems is turning out
to be insufficient to keep up with growing requirements possessed by high network traffic
resulting in compromised security of sensitive data, hampering the key-role of IDS. In a
similar context, another case may be that the system generates a notable number of false
alarms and makes the monitoring operation desensitized towards the alerts, ignoring the
genuine alerts and breaches. Suricata offers a complete solution to this problem as it is a
multi-thread IDS that can intelligently decide to split the processing and monitor the
communication between network nodes more efficiently [9].

1.3 Project Aims & Objectives

This project aims to establish an IDS system using PFsense Firewall, also Suricata will be
implemented to establish an efficient intrusion detection and prevention system. The key
objects of the project have been enlisted below:
 To obtain knowledge about network security and IDS techniques.
 To understand the functionality of multi-threading IDS and IPS (i.e., Suricata)
 Development of a reliable and autonomous system that could function efficiently while
reducing the false alerts
 Implementation of a unified threat detection and prevision solution
1.4 Related Work
This is a bitter fact that the volume of cyber-threats has been growing significantly and the
ever-changing means of networking and networked communication has made it a bit
complicated for the networking professionals to safeguards the information across all these
devices. Nevertheless, things get a little complicated once the different modes of
communication join each other on a single network (e.g., internet) and it gets very
challenging to ensure the security of all communication channels and communication
devices. These aspects have made network security a very challenging field lately. However,
not much work has been done during the past decade to introduce improvements in existing
IDS and IPS methods as these systems remain a no-go territory for students due to the
complications associated with them [5].
Most of the existing work is related to the introduction of these systems to RFID and similar
technological advancements or related to the evaluation of existing IDS and IPS systems.
Interestingly, there exist no detailed guidelines for new aspirants regarding the
implementation of these systems within typical organizational or commercial scenarios. The
little amount of work that is available, provides very shallow information about the utility
with a near-to-no focus upon the configuration or practical attributes. Therefore, this project
aims to address the shortcomings of existing literature by developing a viable solution with
sound documentation to fill the existing gap in this domain [1], [2].

1.5 Network Architecture

The concept of “Intrusion detection” is among the broadly discussed concepts in
domains of computer science and network security. Fundamentally, an intrusion
detection system (IDS) is a mechanism or framework that is employed to detect and
identify potential security threats on the network to ensure the safe transmission of
data between the source and destination nodes. On its crust, IDSs (Intrusion
Detection Systems) can be categorized into two major categories as stated below.
[10]
1.5.1 The signature Based Intrusion Detection System
The signature-based intrusion detection system is mainly related to the analysis of real-time
network traffic to identify the existence of certain signatures that match with the previously
captured data. Upon identification of a known signature, a security alert is generated to warn
the network administrator. In other words, the signature-based IDS’ functionality resembles
the working of conventional AVR (anti-virus) software tools where all the files are compared
to the known definitions of viruses to identify the infected files. If described otherwise, the
signature-based IDS are used in combination with a library that consists of the samples of
previously identified suspicious patterns and behaviors to detect the malicious activities on a
network [10], [11].
1.5.2 Anomaly Based Intrusion Detection System
Unlike the previously described signature-based IDS, the anomaly-based intrusion detection
systems (IDS) observe the violations of certain pre-set rules. These rules are created and set
by the network administrator to manage the network traffic in a predictable and pre-planned
manner. Therefore, as soon as an anomaly-based IDS detects the violation of any of these
rules, a security alert is generated to warn the network-administrator. In other words, the
anomaly-based IDS characterizes any activity as a malicious activity that is performed
outside the pre-defined network traffic parameters [10], [12], [13].
As it is evident by their names, an intrusion detection system (IDS) is a network monitoring
system while the intrusion prevention system (IPS) is a network control system. The
functionality of an Intrusion detection system is limited to the detection of malicious data
packets on a network, and it does not alter the packet. On the other hand, as a monitoring
system, IPS analyzes the contents of data packets to determine their eligibility to enter the
network signifying its controlling feature. For example, If the pattern matches and the data is
malicious, an IPS would identify it as a threat and the data will not be allowed to enter the
network. There are four key types of intrusion prevention systems as described below [12],
[13]:
1.5.3 Network-Based Intrusion Prevention System (NIPS)
As a system, NIPS serves as a dedicated system to perform the network marketing; thus,
certain network security goals such as data confidentiality and integrity could be attained.
Another purpose that NIPS serves, is to ensure the maximum uptime of the network to
ensure a smooth and reliable communication process. Since it is a network monitoring
system, thus it is also used to isolate the system from suspicious traffic so, DDoS
(Distributed Denial of Service) and similar cyber-attacks could be prevented [14]–[16].
1.5.4 Wireless Intrusion Prevention System (WIPS)
As the name signifies, WIPS closely monitors and analysis the W-LAN and its radio channel
spectrum for (typically within 2.4 GHz and 5Ghz Wireless Fidelity (Wi-Fi) bands) to
identify and block the suspicious WAPs (wireless access points). If described otherwise, its
functionality is similar to NIPS, but its role is limited to wireless communication devices
[17].
1.5.5 Network Behavior Analysis (NAB)
This type is especially popular among the proprietary networks where all the operations and
network-traffic-activities are performed in a predictable manner. As the name implies, the
NAB (Network Behavior Analysis) System monitors the network and ongoing activities to
identify the existence of any abnormal or suspicious behavior. This kind of solutions are
mostly employed with a predefined set of certain parameters to identify and block the
abnormal network activities in real-time. The NAB solutions often work autonomously and
are implemented to complement the existing IPS, AVR, and firewall installations [18], [19].
1.5.6 Host-Based Intrusion Prevention System (HIPS)
The HIPS are a modern approach to address the shortcomings of conventional signature-
analysis-based solutions. Although signature-based network security measures are
considered to be very efficient; however, advancements in malware and counter-network-
security techniques have signified hat signature-analysis-based solutions alone are not
sufficient to safeguard a network against known threats. To overcome these shortcomings,
HIPS offers an effective solution. A host-based intrusion prevention system is essentially a
software package that functions within a single host to identify, monitor, and block
suspicious activities as it examines all the events that occur within that specific host [20].

1.6 PFsense
In a typical networking environment, the traffic is required to pass through a
firewall before entering or going out of the network. In other words, the firewall
serves as a boundary or access-control mechanism within a system and the outer
traffic. PFsense firewall is an open-source FreeBSD OS firewall which is a
comprehensive security tool, and an integral part of the Suricata-based security
framework. In addition to complementing the functionality of Suricata, PFsense can
also be utilized as a stand-alone solution to monitor the data packets as well as the
traffic on a network. Fundamentally, as a firewall, its primary role is to saves the
network devices from both internal and external threats to ensure the security,
integrity, and reliability of the communication process. In the context of this project,
PFsense is being used to manage and support the rules defined within Suricata, as
well as to balance the network load using its state-of-the-art multi-WAN and load
balancing techniques. PFsense is among one of few tools that use a graphical user
interface (GUI) to display alerts and traffic logs, making it easy for the network
administrator to take quick action against any suspicious activities that may occur
with a system [21].
 Figure-2: PFsense and Suricata security infrastructure
1.7 Suricata Intrusion Detection System
Suricata is an intrusion detection and privation system that uses the signature-analysis
technique to identify malicious data packets and abnormal network activities within a
network. The signature-based analysis is a proven network security method with reliable
outcomes. Suricata makes it better and uses a deep packet Inspection technique to match
patterns for standard input and output data formats. For example, Suricate uses JSON
integration tools, YAML, SIEMs, and Kibana database systems to simplify tasks such as
packet capturing, detection, and prevention while maintaining their effectiveness. The
pattern matching methods follows certain pre-defined rules that are stored in the form of
structured text-files. These structured text-files contain critical information related to the
network traffic data of the user’s interest. These rules contain specific instructions that not
only specify various rules but also contain information regarding the events to trigger certain
rules/responses. These rules then generate alerts when malicious data tries to break-in
through the system and generates a security-based alert notification. These rules may contain
some sequence of characters, regular expressions, or bytes that entitled as a pattern. Patterns
are a crucial part of these rules, each rule may contain one or more patterns to compare with
the network traffic [4], [7], [8].
These patterns in a rule can further be broken down into three parts i.e., action, header, and
rule options. As a tool, Suricata has a set of certain keywords that are specific to it. Another
IDS, Snort’s header contains specific attributes such as rules, network-layer (L3) protocols,
source, and destination IP addresses. On a framework level, both Suricata and Snort are very
similar; however, Suricata prefers application layer protocols over network-layer protocols
whereas, Snort prefers network layer protocols e.g., File Transfer Protocol (FTP), Hypertext
Transfer Protocol (HTTP), Transport Layer Security (TLS), and Domain Name System
(DNS). The data packets are decoded by using Suricata’s decoding function twice and the
log is saved in the tabular form before these data packets are further processed in detection
modules. The aforementioned decoding tools read the packet to decode the data and the data
is saved in internal representations of Suricata where each data packet is called once at a
time in detection modules before it is placed into decoding pipelines. As far as the
functionality of these decoding pipelines is concerned, firstly the source address of the
captured packet is interpreted and then the Data link layer protocols are decoded. The
decoding process completes at the last and highest layer of the OSI (Open Systems
Interconnection) model. During the detection process of captured packets, the Suricata rules
are matched with internal data representations that have been created by the decoder earlier
[7], [22].
Unlike the decoding module, the detection process is capable of processing a single data
packet in multiple detection modules simultaneously. This approach does not only saves time
but also boosts efficiency, making Suricata an efficient and fast IDS. For the sake of
simplicity, Suricata has been entirely programmed in C-programming language and it does
not support C++ as all of Suricata’s modules have been developed in C. Suricata, being a
user-friendly tool, divides the network traffic into multiple streams following the multi-
threading approach. This technique does not only simplify the task-management for the users
but also enables Suricata to make more efficient and effective use of modern multi-core
systems. The following section takes a brief yet comprehensive look at the four key modules
of Suricata that are mainly regarding as boosters for improvement in processing
performance. Basically, these modules represent the formation of multi-threading in Suricata
[23].
 Packet Acquisition
As the name suggests, this thread module is responsible to handle and read
the data packets from the network.
 Decode and Stream Application Layer
This thread module is mainly related to performing the decoding function, as
well as inspecting the data-packets.
 Detection
This particular thread module is designed to compare the signature of data-
packets and network communication patterns. This module makes use of Suricata’s
multi-threading capabilities to run multiple threads against one data-packet
simultaneously to increase the speed of this process.
  Output
As the name implies, this phase is related to the output of the previous
module. When the process reaches this phase, the data packets have been processed
and their outcomes are used in this process to generate alerts for suspicious
activities.
The following diagram illustrates the above-mentioned process to signify
that how a packet is captured and decoded in Suricata thread modules.

Figure -3: Suricata Packet Capture and Detection

 Installation & Configuration of PFsense and Suricata
For this project, a virtual environment would be created using VMware (Virtual-Machine-
ware software tool) to replicate a PC that would serve the role of a victim. The victim
computer will be created using windows ISO (Optical disc image) on a Local area network
(LAN PC). The purpose to use windows ISO is to realistically implement the functionality of
a physical computer in a virtual environment. In a pre-planned manner, a simulated attack
will be conducted where the attacker would remotely access the LAN PC to replicate (in a
simulated manner) a threat for the victim computer against a single IP address. The user (the
network administrator is assumed to be the user for this particular project) would set some
rules for the data package [4], [8], [14].
Since PFsense is an open-source free BSD OS, it would be installed on the victim computer.
PFsense requires very minimal hardware to be installed on for complete functionality, for
this particular project 1GHz CPU capacity, 1GB RAM, 4GB storage, 2 or more PCI-e
network interface card (NIC) will be allocated to PFsense according to its role and
implementation-scenario. These hardware resources have been allocated incite of
manufacturers’ recommendations to obtain smooth performance. Nevertheless, more
hardware resources may also be allocated as per need [6], [7].
The step-by-step process towards the installation of PFsense has been described below.
1. As the first step, the PFsense software was obtained from its website using the following
URL https://www.pfsense.org/download/. An important aspect to consider is the selection of
ports for the installation of the PFsense package after that, the configuration of LAN and
WAN interfaces is necessary to make use of its functionality. For this purpose, the network
administrator plugged-into WAN interface until the PFsense completed its configuration.
After this step was complete, the installation process was concluded by plugging the LAN
interface on the victim PC.
2. After the software has been downloaded, it offers the choice to the user to either burn it on
an optical disc or copy it to a flash memory stick. Nevertheless, it is important to note that
the “dd” tool is required alongside the program files to make it compatible with Linux
distributions. The installation process varies for Linux and Windows OS. For Linux, the dd
is utilized to install the tool. However, the windows OS may boot with PFsense from the
USB drive or an optical disc. Upon successful boot, the welcome screen of PFsense is loaded
and displayed on the screen.

Figure-4: Installation Window

3. The next step aims to the reverting of HTTP as a web-configuration protocol. The PFsense
would provide the web browser address to access the web interface of PFsense. After login
where username “Admin” and password “PFsense” were used as credentials. The web
interface would present an initial setup where the user can change the password of PFsense.
This concludes the basic installation and configuration of the PFsense firewall.
 Figure-5: PFsense Login Screen

4. The configuration console screen offers the option to “Accept These Settings” and clicking
this option selects the default parameters for the program. The next screen contains the
selection options for quick/easy install and the selection of this option leads to another
selection screen that lets the user choose between the standard kernel installation or
embedded kernel installation. For this particular project, “Standard Kernel Installation” was
selected, and then the system was rebooted to implement these settings. After the reboot, the
installation process begins automatically. As default settings, PFsense is initially configured
to WAN with DHCP interface only. Since LAN is not configured by default; therefore, an IP
address needs to be allocated for this purpose as LAN can be configured manually. As a
recommended measure, LAN is to be configured using a static IPVersion4 address in the
PFsense terminal. This address serves as a default gateway for all hosts that are then plugged
into the system. The following screen showcases the system information, interfaces, traffic
graphs, and firewall logs.
 Figure-6: System Settings

5. In PFsense from the Admin page, click on the Services tab to get to the slide bar of “Packet
Manager”, From packet manager install Suricata. System -> Packet Manager -> Available
Packages -> Suricata.

Figure-7: Package’s installation

6. After installation, the Suricata package would appear in Services Tab.
 Figure-7: DHCP configuration
7. In the following screenshot, the interface settings can be observed. The WAN’s pattern
matching feature has been set to automatic mode. The blocking mode has been disabled as
the user intends to utilize the system as an IDS for this particular project to this point in time.

Figure-8: WAN Interface

8. At this point, all of the HTTP logs of WAN has been activated. Also, the alert has been
initiated for the WAN-system.
 Figure 10: HTTP logs of the WAN system

9. Now, after inspection and protection modules of Suricata has started to function, the home-
net and external network are set to their default parameters. Also, alerts have been set.
Figure 11: Alerts Screen
10.
The

following screen signifies that all of the rulesets have been selected and loaded into the
system. As stated earlier, these rules are utilized to generate alerts against malicious and
suspicious network activities to ensure a secure and reliable communication process.
 Figure 12: Rulesets

11. The following screen showcases the alerts that were generated by the system in response to
simulated network-rules violations.
Figure 13: Ruleset violation alerts
12. The host-specific defragmentation and stream settings policies can be found in the WAN

flow/stream folder. These policies were altered in accordance with the requirements
possessed by this particular program.
Figure 14: policies

13. The following screenshot specifies the flow-manager settings, as well as flow-timeout
settings for TCP, UDP, and ICMP connections. The new connection timeout for TCP, UDP,
and ICMP has been set to 60, 30, and 30 seconds respectively.
 Figure 15: connection timeout durations
14. The following screen showcases the alert-log entries. These entries consist of 10000 most
recent error/alert log entries.

Figure 16: violation log entries

15. The following screen specifies the policy and parameters that have been set by the network
administrator for this specific project. For this particular project, the alert retention values
have been set to 90 days. Nevertheless, these values can be changed or modified according to
certain conditions of a system.
 Figure 17: retention values for logs
Now PFsense is installed, configured, and ready to set the rules for network
traffic. When the PFsense configuration has been completed, now is the time to
install the IDS/IPS system to create rules and allow only secure and appropriate
traffic through the network firewall. In PFsense the default option for rues is “Allow
All” which can be changed according to the requirements of each scenario. PFsense
offers a User interface, wherefrom system “Package Manager” installs Suricata
Intrusion Detection System. After installation, it could be seen under the “Services”
tab in PFsense.
1.8 Intrusion Prevention System using Suricata
As mentioned earlier, Suricata is an intrusion detection and privation system that employs its
signature-analysis technique to identify malicious data packets as well as abnormal network
activities within a network. In 1998, Jackob Nielsen predicted that the annual bandwidth of
users is expected to increase by an average of 50% and this exponential growth of user’s
bandwidth creates design problems for the developers of network intrusion detection and
prevention systems. The increased traffic on network system often exceeds the operational
boundaries of Intrusion prevention system and as a result the system is forced to drop the
packets rendering ineffectiveness. The System specialists often utilize algorithms and
Application Specific Integrated Circuits to avoid this kind of ineffectiveness. However, these
applications and systems tend to be costly. On the other hand, Suricata is an open-source
intrusion prevention system that is a cost-effective alternative that is not only provides
practical multithreaded intrusion detection but also prevents the unauthorized access to the
network by controlling the unwanted and malicious activities within a network.
The following diagram illustrates the above-mentioned process to signify that how Suricata
monitors and prevents security breaches within a network using Suricata thread modules.
1. The following screen illustrates the “Alert and Block” settings that have been configured to
the legacy mode by the network administer for this specific project while utilizing 10.0.0.1
as gateway IP address on LAN for point to point (P2P) communication. The Legacy Mode
 inspects the data packets of the network system while the inline Mode inserts the Suricata
inspection engine into network stack. In addition, a packet leakage occurs in inline mode to
create the traffic, and if the traffic matches a specific rule, it generates an alert and traffic can
be blocked autonomously before even passing the IDS. In contrast, the legacy mode scans
the data packets, matches the packets with rules and then blocks the host ID.

Figure 18: Alert and Block Settings to activate Legacy Mode

2. The following screen showcases the rules sets. There exist 41 types of alerts in Suricata and
each alert log has a unique ID to generate Error Code.

Figure 19: Classification of Rules

3. In the following screenshot, Suricata offers 4 types of rule action selections that are Default,
Alert, Drop and Reject, respectively. The Default rule action removes all the user overrides
and returns the rule action state too its original value. In Drop action, the sources data packet
is dropped before it reaches the IDS and the sender never gets any feedback. the Reject
action is very much similar to the Drop action, However, in Reject action the data packet
drops but the user is notified about the packet's state. While, in Alert action mode, the system
generates and alert to notify the system administrator to examine the traffic and drop the data
packet.
 Figure 20: Rule Action Selection

4. The following screen showcases the alert entries that are triggered by the Alert Rule to drop
the data packets. As mentioned above, each log has a specific ID to generate the Error code.

Figure 21: Suricata Alert Entries

In this project, PFsense is being used to manage and support the rules defined within
Suricata, to balance the network load using its state-of-the-art multi-LAN and load balancing
techniques.
1.9 Results
Since the objective of this project was to develop a cost-effective yet practical intrusion
detection and prevention system; thus, these objectives have been attained after the
promising results have been showcased by the system. The system monitors the incoming-
outgoing network traffic against the rules defined as set by the network administrator and
generates alerts if users violate these rules. For instance, if users (the computers that are
being monitored by the project) try to access an IP that has been blacklisted by the network
administrator, then an alert is generated for the network-administrator. Then the network
admin may opt to grant or restrict users’ access to that particular IP/website. It is important
to note that, network administrator chooses between a time-range to grant/revoke the access.
For example, the restriction may be time-based to control the access for a certain period of
time. Moreover, these restrictions may also be a set of either incoming or outgoing network
traffic. For example, the internal users may be allowed to access an external network, but the
external network may be restricted from passing any data to the users within the network that
is being protected by the IDS/IPS.

Figure 22: Violation Log

The screen-snippet above is an illustration of the logs that have been generated against the
violations conducted by the users. The accuracy of these results has been 100 percent against
the rules that were set by the network administrator, signifying the success of the project. A
prominent feature that is important to highlight is the ability of this system to save these logs
for a re-defined time period. This data can be used to make new rules or predict the behavior
of users within the network. As per the results, the project is a success, and it has been
working in its intended manner.
1.10 Summary
This report is a part of the final year project as a mandatory requirement. The goal was to
develop a system that would primarily be able to function as an intrusion detection system
with a secondary focus on intrusion prevention mechanisms. The project has attained these
objectives successfully. The system follows a hybrid approach where Suricata that is a
renowned IDS has been combined with PFsense that is an open-source firewall to develop an
intrusion detection and prevention system. The system can monitor and control two-way
incoming and outgoing traffic on a network. Furthermore, it enables the network
administrator to specify certain rules and set patterns to monitor. Following these signature
patterns, the system is capable of accurately intercept the suspicious/unwanted traffic within
the system. These attributes make this project a desirable intrusion detection and prevention
system.
As far as the theoretical aspects are concerned, the report takes a closer look at the system
attributes and functionality to establish sound theoretical grounds to support the practical
aspects of the system. This report contains background information regarding the tools that
have been utilized throughout this project. Also, the report briefly describes the conception
of IDSs, and IPSs to establish a theoretical understanding before implementing these systems
using this project. All in all, the report covers all the theoretical and practical aspects of the
project in a sequenced manner to serve as a guideline for future aspirants.
References:
[1] K. Thakur, M. Qiu, K. Gai, and M. L. Ali, “An Investigation on Cyber
Security Threats and Security Models,” in Proceedings - 2nd IEEE
International Conference on Cyber Security and Cloud Computing, CSCloud
2015 - IEEE International Symposium of Smart Cloud, IEEE SSC 2015, Jan.
2016, pp. 307–311, doi: 10.1109/CSCloud.2015.71.
[2] S. Walker-Roberts, M. Hammoudeh, O. Aldabbas, M. Aydin, and A.
Dehghantanha, “Threats on the horizon: understanding security threats in the
era of cyber-physical systems,” J. Supercomput., vol. 76, no. 4, pp. 2643–
2664, Apr. 2020, doi: 10.1007/s11227-019-03028-9.
[3] I. Sharafaldin, A. Gharib, A. H. Lashkari, and A. A. Ghorbani, “Towards a
Reliable Intrusion Detection Benchmark Dataset,” Softw. Netw., vol. 2017, no.
1, pp. 177–200, Jan. 2017, doi: 10.13052/jsn2445-9739.2017.009.
[4] J. S. White, T. Fitzsimmons, and J. N. Matthews, “Quantitative analysis of
intrusion detection systems: Snort and Suricata,” in Cyber Sensing 2013, May
2013, vol. 8757, p. 875704, doi: 10.1117/12.2015616.
[5] A. Gharib, I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “An Evaluation
Framework for Intrusion Detection Dataset,” Mar. 2017, doi:
10.1109/ICISSEC.2016.7885840.
[6] VMWARE, “VMware ASEAN - Delivering a Digital Foundation For
Businesses | ASEAN,” 2020.
[7] K. Wong, C. Dillabaugh, N. Seddigh, and B. Nandy, “Enhancing Suricata
intrusion detection system for cyber security in SCADA networks,” Jun. 2017,
doi: 10.1109/CCECE.2017.7946818.
[8] S. A. R. Shah and B. Issac, “Performance comparison of intrusion detection
systems and application of machine learning to Snort system,” Futur. Gener.
Comput. Syst., vol. 80, pp. 157–170, Mar. 2018, doi:
10.1016/j.future.2017.10.016.
[9] N. M. D. Ulsch, Cyber Threat! Wiley, 2014.
[10] D. A. Effendy, K. Kusrini, and S. Sudarmawan, “Classification of intrusion
detection system (IDS) based on computer network,” in Proceedings - 2017
2nd International Conferences on Information Technology, Information
Systems and Electrical Engineering, ICITISEE 2017, Feb. 2018, vol. 2018-
 January, pp. 90–94, doi: 10.1109/ICITISEE.2017.8285566.
[11] M. Aldwairi, A. M. Abu-Dalo, and M. Jarrah, “Pattern matching of signature-
based ids using myers algorithm under mapreduce framework,” Eurasip J. Inf.
Secur., vol. 2017, no. 1, p. 9, Dec. 2017, doi: 10.1186/s13635-017-0062-7.
[12] H. Li, F. Wei, and H. Hu, “Enabling dynamic network access control with
anomaly-based IDS and SDN,” in SDN-NFV 2019 - Proceedings of the ACM
International Workshop on Security in Software Defined Networks and
Network Function Virtualization, co-located with CODASPY 2019, Mar. 2019,
pp. 13–16, doi: 10.1145/3309194.3309199.
[13] H. Bostani and M. Sheikhan, “Hybrid of anomaly-based and specification-
based IDS for Internet of Things using unsupervised OPF based on
MapReduce approach,” Comput. Commun., vol. 98, pp. 52–71, Jan. 2017, doi:
10.1016/j.comcom.2016.12.001.
[14] P. S. Kenkre, A. Pai, and L. Colaco, “Real time intrusion detection and
prevention system,” in Advances in Intelligent Systems and Computing, 2014,
vol. 327, pp. 405–411, doi: 10.1007/978-3-319-11933-5_44.
[15] P. G. Bringas and Y. K. Penya, “Next-generation misuse and anomaly
prevention system,” Lect. Notes Bus. Inf. Process., vol. 19, pp. 117–129, 2009,
doi: 10.1007/978-3-642-00670-8_9.
[16] A. Hussein Al-Hamami, M. Ghossoon, and W. Al-Saasoon, “Development of
a network-based: Intrusion Prevention System using a Data Mining approach -
IEEE Conference Publication,” Sci. Inf. Conf. 2013 IEEE Xplore, 2013.
[17] N. Chakraborty, “INTRUSION DETECTION SYSTEM AND INTRUSION
PREVENTION SYSTEM: A COMPARATIVE STUDY,” Int. J. Comput.
Bus. Res., 2013.
[18] B. Joll, K. Rhodes, and J. Deerman, “Patent Application Publication | Cyber
Behavior Analysis and Detection Method, System and Architecture,” Dec.
2014.
[19] S. Nari and A. A. Ghorbani, “Automated malware classification based on
network behavior,” in 2013 International Conference on Computing,
Networking and Communications, ICNC 2013, 2013, pp. 642–647, doi:
10.1109/ICCNC.2013.6504162.
[20] M. Sun, M. Zheng, J. C. S. Lui, and X. Jiang, “Design and implementation of
an android host-based intrusion prevention system,” in ACM International
 Conference Proceeding Series, Dec. 2014, vol. 2014-December, no.
December, pp. 226–235, doi: 10.1145/2664243.2664245.
[21] M. Muthukumar, P. Senthilkumar, and M. Jawahar, “Firewall Scheduling and
Routing Using pfSense,” in Advances in Intelligent Systems and Computing,
2021, vol. 1172, pp. 749–757, doi: 10.1007/978-981-15-5566-4_67.
[22] Q. Hu, S. Y. Yu, and M. R. Asghar, “Analysing performance issues of open-
source intrusion detection systems in high-speed networks,” J. Inf. Secur.
Appl., vol. 51, p. 102426, Apr. 2020, doi: 10.1016/j.jisa.2019.102426.
[23] AT&T Cybersecurity, “Suricata IDS: An overview of threading capabilities |
AT&T Cybersecurity,” 2019. .