Lab 13 | Using an Intrusion Detection System
Lab 13 | Using an Intrusion Detection System
This lab followed a similar network setup to the previous lab except we are using SECONION instead of PFSENSE.
This lab was brief and had us undergo some exercises involving SECONION. We played around with different forms of traffic that SECONION picked up, SECONION proved capable in showing the detail of the traffic that passed through it, as well as having the ability to filter out unwanted alerts.
First demonstrated was the ability to intercept packets, much similar to wire shark we can view their contents & details. Speaking of wireshark it is possible to open the probe within wireshark as well as other programs.
Demonstrated in the lab it is possible to dismiss alerts so that they no longer appear in the sguil interface if they are not relevant to you, this information is still stored in the database however if you wish to use it another time.
Within the second exercise, we explored the ability to block alerts by SID, although we didnt put it into practice it is also possible to configure SGUIL to auto-categorize the event, configure SGUIL to only alert you if the rule is triggered a certain number of times or add further conditions required to trigger to rule.
The third exercise was another simple task which had us run some penetration tests from kali & observing the results in SGUIL, a zenmap scan produced a small number of alerts which we categorized as 'reconnaissance'. We also executed a DoS attack which produced an enormous amount of results in SGUIL from the repetitive packets passing into the network.
Lab Questions
Ex 3 | 15
You can use the panel in the bottom-left to show the packet contents and the rule that produced a signature match for this event by clicking to check the boxes. Make a note of the rule SID:
SID Highlighted in the picture below.
You can use the panel in the bottom-left to show the packet contents and the rule that produced a signature match for this event by clicking to check the boxes. Make a note of the rule SID:
SID Highlighted in the picture below.
Critical Thinking & Analysis
From this lab, I have discerned that using an IDS sensor to monitor traffic coming through your 'internet-facing' interface can prove valuable especially if you were performing network analysis from a security point of view. In this lab we tested our sensor on traffic coming into the network, I am curious as to how this could be used to monitor traffic leaving the network which is more critical.
If I was employed as a network analyst I can see the potential for utilizing this type of software for the purpose of identifying unwanted traffic in the network, considering the ability to filter & categorize alerts you can effectively set it up to only produce alerts of some substance that is of use to you. SGUIL possess the ability to send email alerts upon the trigger of specified alert categories, this allows you to set your SGUIL up for around the clock monitoring and set up some form of response system that is ready no matter what the time is. Of course in a smaller company, this can also be of use as a small IT team would enjoy the convenience of emailed alerts without having to persistently remember to check the software. Setting things up with automation can be integral to finding space within your work hours to instead focus on innovating and working on alternative tasks.
Implementing a sensor into your network effectively adds another level of security in the form of even driven analysis.
If I was employed as a network analyst I can see the potential for utilizing this type of software for the purpose of identifying unwanted traffic in the network, considering the ability to filter & categorize alerts you can effectively set it up to only produce alerts of some substance that is of use to you. SGUIL possess the ability to send email alerts upon the trigger of specified alert categories, this allows you to set your SGUIL up for around the clock monitoring and set up some form of response system that is ready no matter what the time is. Of course in a smaller company, this can also be of use as a small IT team would enjoy the convenience of emailed alerts without having to persistently remember to check the software. Setting things up with automation can be integral to finding space within your work hours to instead focus on innovating and working on alternative tasks.
Implementing a sensor into your network effectively adds another level of security in the form of even driven analysis.
Comments
Post a Comment