Module 04: Network Perimeter Security

2 Hr 11 Min Remaining
Instructions Resources Help 100%
Exercise 6: Implementing Network-based IDS Functionality
Using Suricata IDS

Real-time Intrusion Detection is a requirement for today’s networks. With the help of various tools and
techniques, it is possible identifying known and potentially harmful attacks.

Lab Scenario

Network defenders can use Suricata for real-time Intrusion Detection System (IDS), inline Intrusion
Prevention System (IPS), Network Security Monitoring (NSM), and offline pcap processing.

Lab Objectives

This lab will demonstrate how to use Suricata IDS.

In this lab, you will learn how to:

• Use the intrusion detection tool Suricata

• Review information in the Suricata Logs.

Overview of Suricata IDS

Suricata is an open-source network intrusion prevention system. It is a fast and robust network threat
detection engine. Suricata uses rules and signature language for inspecting network traffic. The IDS
performs intrusion detection and attempts to stop detected incidents. Suricata supports standard
input-output formats such as YAML and JSON, which can be easily integrated with various SIEM tools
like Splunk, Logstash/Elasticsearch, and Kibana.

Lab Tasks

1. Click Admin Machine-1 to launch Admin MAchine-1 VM.

2. Click Ctrl+Alt+Delete link to login to Admin-Machine-1.
3. By default, Admin account is selected, click admin@123 and press Enter to login.
4. Next, install Splunk Enterprise SIEM, to view the captured Suricata logs in SIEM.
5. Navigate to Z:\CND-Tools\Lab Prerequisites\Splunk Enterprise.
 6. Double-click splunk-8.0.1-6db836e2fb9e-x64-release.msi to start the installation.
If the Open File - Security Warning pop-up appears, click Run.

If a "SmartScreen has prevented the app from running" message appears, click More info, and then
click Run anyway.

7. The Splunk Enterprise Installer window appears. Click checkbox to accept the license
agreement and click Next.
8. Enter the credential for Splunk Enterprise with username admin, password and
confirm password as admin@123. Click Next.
9. Click Install to install Splunk Enterprise.
10. The User Account Control pop-up window appears; click Yes to continue.
11. Wait for the installation to complete. Click Finish to complete the Splunk Enterprise
setup.
12. Splunk Enterprise launches in your default browser.
13. The First time signing in? page appears. Enter the username (admin) and password
(provided while installation as admin@123) in their respective fields and click Sign in.
14. You will be successfully logged in to Splunk Enterprise.
15. Close the browser, to increase the default maximum number of concurrent of
searches per CUP in Splunk Enterprise, navigate to C:\Program
Files\Splunk\etc\system\default.

16. If the permission alert window opens, click Continue to access the Splunk folder.
17. Open limits.conf with Notepad++.
18. Go to line number 145 and set max_searches_per_cpu=2; click save and close the
file.
19. Restart the Admin Machine-1
20. The Suricata IDS configuration needs to be on the web server; therefore, we need to
configure the Suricata IDS on Web Server.
21. Click Web Server to launch WebServer VM.
22. Click Ctrl+Alt+Delete link to log in.
23. The default Administrator user is selected type password as admin@123 and
press Enter.
24. Navigate to Z:\CND-Tools\CNDv2 Module 04 Network Perimeter
Security\Suricata and copy npcap-0.99-r7.exe
 25. Paste the npcap-0.99-r7.exe file on the desktop.
26. Npcap is a tool used for network packet capturing and injection library for Windows.
27. Suricata uses npcap for capturing network packets and alerts. The following steps
demonstrate the installation of the npcap tool.
28. Double click on npcap-0.99-r7.exe. Click on I Agree to continue the installation.

If Security Warning popup appears, click Run.

29. By-default Install Npcap in WinPcap API-compatible Mode is checked, and
click Install. If it is not checked, then check it.
30. The installation will start in a few seconds. Once the installation is completed
successfully, click Next to continue.
31. Click Finish to complete the installation.
32. Navigate to Z:\CND-Tools\CNDv2 Module 04 Network Perimeter
Security\Suricata and copy Suricata-4.1.4-1-64bit.msi
33. Paste the Suricata-4.1.4-1-64bit.msi file on the desktop.
34. Double click Suricata-4.1.4-1-64bit.msi. The Suricata.IDS/IPS2.1.2-1-64bit Setup
window will appear. Click Next.
35. Check I accept the terms in the License Agreement to accept the license, and
click Next.
36. Click Next to continue the installation as shown in the screenshot below.
37. Click Install to continue the installation process.
38. Click Finish to complete the installation process.
39. After Suricata IDS is successfully installed, the Suricata directory will be created
under the C:\Program Files\Suricata.
40. From Windows search, Open Notepad and save the empty threshold.config file
under C:\Program Files\Suricata\ location as shown in the screenshot below (Ensure
that you have selected All Files in the Save as type: option while saving the file).
41. The threshold.config file will be created as shown in the screenshot below.
 42. The Suricata IDS generates the alert based on the ruleset. A network defender can
set the custom rule using the .rule file as shown in the following steps.
43. First, the local.rule file needs to be created. The local.rule file includes custom rules.
We can create 'n' number of files for various rules (the rule file must have
a .rule extension).
44. Here, we have created a rule for generating a PING alert.
45. Open Notepad, and type the following:

alert tcp any 21 -> any any (msg:”ET SCAN Potential FTP Brute-Force attempt”;
flow:from_server,established; dsize:<100; content:”530 “; depth:4;
pcre:”/530\s+(Login|User|Failed|Not)/smi”; classtype:unsuccessful-user; threshold:
type threshold, track by_dst, count 5, seconds 300;)
46. Save the file as local.rules under the C:\Program Files\Suricata\rules location as
shown in the screenshot below (Ensure that you have selected All Files in the Save as
type option while saving the file).
47. Navigate to C:\Program Files\Suricata, and open suricata.yaml file in Notepad++.
48. The suricata.yaml file opens in Notepad++.
49. To comment on the default rules files, select line numbers 1866 to 1910, navigate to
the Edit menu, and select Comment/Uncomment->Block Comment as shown in the
screenshot below.
50. Add – local.rules below the line number 1865 as shown in the screenshot below,
and click Save.
51. Close the opened folders and files.
52. Navigate to C:\Program Files\Suricata\log. Observe that there is no log file under
the log\files directory.
53. We will capture the Suricata logs in Splunk, next we forward Suricata logs to Splunk
on the monitoring machine using Splunkforwarder.
54. To install Splunk forwarder, Navigate to Z:\CND-Tools\CNDv2 Module 04
Network Perimeter Security\Splunk Forwarder
55. Double-click on splunkforwarder-7.3.2-c60db69f8e32-x64-release.msi.
If a security warning pop-up appears, click on Run.

56. Once the UniversalForwarder Setup window appears, check Check the box to
accept the License Agreement and click on Customize Options.
57. Leave the installation path set to the default location and click on Next.
58. Click on Next in the Splunk certificate section.
59. In the next step, select the Local System radio button to install Universal Forwarder
as a Local System and click on Next.
60. Next, check all entities under Windows Event Logs, Active Directory Monitoring and
Performance Monitor and click on Next.
61. Create credentials for the administrator account; type username "admin" and
password "admin@123" and click on Next.
62. Leave the Deployment Server section without issuing the deployment IP and port
number details, and click on Next.
63. In the Receiving Indexer section, enter the IP address for Admin Machine-1,
namely, 10.10.10.2 in the Hostname or IP field; enter Port 9997 in the port field and
click on Next.
64. Once you are through with the configuration, click on Install. At this time, if a User
Account Control pop-up appears, click on Yes.
65. Click on Finish after the installation completes.
You do not need any explicit configuration for Splunk Forwarder to collect Windows event logs,
since Splunk Forwarder has default configuration done during installation. You need to configure
Splunk Forwarder explicitly to collect logs from IIS and Snort IDS.

66. To configure Splunk Universal Forwarder to collect IIS logs from the Web Server
machine, go to the Web Server VM.
67. Navigate to C:\Program Files\SplunkUniversalForwarder\etc\system\local, right-
click on inputs.conf, and then on Edit with Notepad++.
 68. Add the following lines in the inputs.conf file like in the below screenshot.
[monitor://C:\inetpub\logs\logfiles]
sourcetype=iis
ignoreOlderThan =14d
host = WebServer
69. Click on Save to save the file and close it.
70. Right-click on outputs.conf, and then on Edit with Notepad++.
 71. Add the following lines in the outputs.conf file, as shown in the screenshot below.
[iis*]
Pulldown_type=true
MAXTIMESTAMPLOOKAHEAD =32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER
REPORT – iis2 =iis2
 72. Click on Save to save the file and then Close it.
73. Open Notepad and type the below code.

[iis*]
Pulldown_type=true
MAXTIMESTAMPLOOKAHEAD =32
SHOULD_LINEMERGE =False
CHECK_FOR_HEADER
REPORT -iis2 =iis2

74. Save the notepad as props.conf at C:\Program

Files\SplunkUniversalForwarder\etc\system\local path and close the file.

Ensure you have selected Save type as: All Files while saving the props.conf file.
 75. Open Notepad again, add the following lines in the new opened file and save the file
as transforms.conf at C:\Program
Files\SplunkUniversalForwarder\etc\system\local.

Ensure you have selected Save type as: All Files while saving the transforms.conf file.
[default]
host -WebServer

[ignore_comments]
REGEX = ^#.*
DEST_KEY =queue
FORMAT =nullQueue

[iis2]
DELIMS =" "
FIELDS = date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip
cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status
sc-bytes cs-bytes time-taken
 76. To forward the Suricata logs, navigate to the C:\Program
Files\SplunkUniversalForwarder\etc\system\local folder and
open inputs.conf file Edit with Notepad++. Add the following configuration lines of
code at the end of the file and Save. Close the file.
[monitor://C:\Program Files\Suricata\log]
sourcetyp=suricatata
ignoreOlderThan =14d
host = WebServer
77. Close all open files in Notepad.
78. Navigate to Windows Start -> Administrative Tools. Double-click on Services in
the Administrative Tools window. The services window opens, search for
SplunkForwarder Service.
 79. Click on SplunkForwarder Service, and then Restart the service.

If an error occurs while restarting, click Start again.

80. Next, launch Suricata to capture the network traffic, navigate to the desktop, and
double click the Suricata-4.1.4-64bit IDS-IPS shortcut.
81. The Suricata Command Prompt will open.
82. Type the suricata.exe -c suricata.yaml -i 10.10.10.16 command to run Suricata for
capturing network traffic, and press Enter.
83. The Suricata engine will start. Leave the command prompt open and Suricata
running.
84. We need to perform the attack from the attacker machine to the Webserver. Suricata
will then generate the alert and store it in the fast.log file.
85. The fast.log file is the default alert log file that is already set into the suricatata.yaml
file.
86. Click Attacker Machine to launch AttackerMachine VM.
87. Select username as Bob and type password as user@123 and press Enter.
 88. To perform a brute-force attack, use the tool Hydra from Ubuntu OS (Attacker
Machine).

Hydra uses two files for performing a brute-force attack. The first file has the list of usernames, and
the second file has a list of passwords. Hydra uses these lists of usernames and passwords for
performing a brute-force attack.

89. Press ctrt + alt + t to open the terminal, type hydra -L 'wrd.txt' -P 'pwd.txt'
ftp://10.10.10.16, and Press Enter.
90. The Attacker Machine will try to match the combination of usernames and
passwords with the Webserver.
91. The matched username and password are shown in the terminal in green color.
92. After the attack is complete, switch to Admin Machine-1 VM.
93. Click Ctrl+Alt+Delete Link to login.
94. By default the username Admin is selected type password admin@123 and
press Enter.
95. The Network pane appears, click Yes.
96. Launch the web browser, and access Splunk Enterprise with the
URL http://localhost:8000/en-US/account/login?.
97. Log in with the username admin and password admin@123
If the Splunk Enterprise page is not opening, make sure the splunkd service is running. If not, then
press "Windows+R" on your keyboard and type "services.msc". Click on OK. Next, the Services
window opens. Search for the splunkd service and restart. Wait for the service to start.

If Important Changes coming! pop-up appears, click Don't show me this again.

98. The Splunk web console appears; click Settings menu, select Forwarding and
receiving link under the DATA section.
99. The Forwarding and receiving console will appear. This is where a new instance will
be added to receive the data forwarded from Universal Forwarder. Click on the +Add
new link in the bottom right corner to Configure receiving.
100. The Add new console appears; in the Listen on this port* field, type 9997 and
click on Save.
101. Once the port is added, go to Apps menu, and then select Manage Apps.
102. The Apps console appears; click on the Enable link toward the extreme right
associated with the SplunkForwarder application.
103. When the application is enabled, click on Edit properties under Actions column
associated with SplunkForwarder.
104. The SplunkForwarder console appears; click on Yes under the Visible section, and
then on Save.
105. Go to Settings and select Server controls under the SYSTEM section.
106. The Server controls console appears; click on Restart Splunk. A confirmation
pop-up appears; click on OK.
107. Wait for few seconds, on a successful restart, a pop-up appears with the message
“Restart successful. Click OK to log back into Splunk. Click on OK.
108. You will be redirected to the login page. Enter the user
credentials(username admin and password admin@123) and click on Sign in.
If Splunk is properly not restarted, click Restart Splunk again.

109. Once you log in, click on Apps -> SplunkForwarder from menu.
Make sure Splunk Forwarder service is running. If it is not running, start the Splunkforwarder service
in Windows services.

110. The Search console appears; click on Data Summary under the What to Search
section.
111. The Data Summary pop-up appears. Select the Sources(_) tab, wait for sometime,
and then click the C:\Program Files\Suricata\log\fast.log link to continue.
112. Once the fast.log file is selected, the page redirects to the search page and
displays the detailed logs.
113. The brute-force attempt was made from Attacker Machine (10.10.10.50) to the
Webserver (10.10.10.16).
114. Close the web browser in Admin Machine-1 VM.
115. Close all the opened windows in Web Server VM.