IDS/IPS & Firewall Evasion Lab

Master intrusion detection systems, evasion techniques, and defensive countermeasures

0%
0 / 75 XP
Theory
Network Diagram
Snort Rule Builder
Evasion Simulator
Alert Classification
TTL Attack
Firewall Analyzer
Final Quiz

IDS vs IPS: Understanding the Fundamentals

Feature IDS (Intrusion Detection System) IPS (Intrusion Prevention System)
Primary Function Detects and alerts on suspicious activity Detects AND blocks malicious traffic
Deployment Out-of-band (monitoring mode) Inline (traffic passes through)
Response Passive - generates alerts Active - drops packets, blocks IPs
Impact on Traffic No impact (monitor only) Can introduce latency
False Positive Risk Alert fatigue Blocking legitimate traffic

Network-Based vs Host-Based

NIDS/NIPS (Network)

  • Monitors network traffic at strategic points
  • Analyzes packet headers and payloads
  • Protects multiple hosts simultaneously
  • Examples: Snort, Suricata, Zeek
  • Deployment: Span ports, network taps

HIDS/HIPS (Host)

  • Installed on individual systems
  • Monitors system calls, file integrity, logs
  • Can detect local privilege escalation
  • Examples: OSSEC, Tripwire, SELinux
  • Sees encrypted traffic after decryption

Alert Classification Matrix

True Positive (TP): Attack occurred AND IDS detected it ✓
False Positive (FP): No attack occurred BUT IDS alerted ✗
True Negative (TN): No attack occurred AND no alert ✓
False Negative (FN): Attack occurred BUT IDS missed it ✗✗
False Negatives are the most dangerous - attackers succeed undetected. False Positives cause alert fatigue and waste resources.

Major IDS/IPS Solutions

Snort - Open-source NIDS/NIPS, signature-based detection Suricata - Multi-threaded IDS/IPS, protocol analysis Zeek (Bro) - Network analysis framework, scripting capability AlienVault OSSIM - Unified security management platform YARA - Pattern matching for malware detection Security Onion - Complete IDS distribution

Firewall Types & Technologies

Packet Filtering

First generation - examines header information (IP, port, protocol). Fast but limited context awareness.

Stateful Inspection

Tracks connection state, remembers sessions. Can validate TCP handshakes and track return traffic.

Application Layer

Deep packet inspection, understands protocols (HTTP, FTP, DNS). Can filter based on content.

Next-Gen Firewalls (NGFW)

Combines traditional firewall with IPS, application awareness, threat intelligence, and SSL inspection.

Honeypots & Deception Systems

Honeypots are intentionally vulnerable systems designed to attract and detect attackers. They provide early warning and intelligence about attack methods.
  • Low-interaction: Simulated services (honeyd)
  • High-interaction: Real systems with monitoring (Honeynets)
  • Production honeypots: Detect internal threats
  • Research honeypots: Collect attack data

IDS/IPS Network Placement

Click on network components to learn about IDS/IPS placement strategies

Internet
Perimeter FW
NIDS #1
External
DMZ
Internal FW
NIPS #2
Inline
Internal LAN
HIDS
Host-based
Honeypot
Select a component to view its role in network security architecture.

Snort Rule Builder

Create custom Snort IDS rules and understand the syntax

Snort Rule Structure:
<action> <protocol> <src_ip> <src_port> <direction> <dst_ip> <dst_port> (rule options)

Rule Configuration

Generated Snort Rule

alert tcp any any -> any 80 (msg:"Suspicious traffic detected"; sid:1000001; rev:1;)
Common Rule Options:
  • content:"string" - Match specific payload content
  • flags:S - Match TCP flags (S=SYN, A=ACK, F=FIN)
  • flow:to_server,established - Match connection state
  • byte_test - Test byte values
  • pcre:"/regex/" - Perl-compatible regex matching
  • threshold:type limit, track by_src, count 5, seconds 60 - Rate limiting

Example Rules

# Detect SQL injection attempts alert tcp any any -> any 80 (msg:"SQL Injection Attempt"; content:"union"; nocase; content:"select"; nocase; sid:1000002;) # Detect port scan (SYN scan) alert tcp any any -> any any (msg:"Possible SYN Scan"; flags:S; threshold:type threshold, track by_src, count 20, seconds 10; sid:1000003;) # Detect reverse shell alert tcp any any -> any any (msg:"Reverse Shell Detected"; content:"/bin/sh"; flow:to_server,established; sid:1000004;) # Detect Nmap version scan alert tcp any any -> any any (msg:"Nmap Version Scan"; content:"|00|"; depth:1; flow:to_server; sid:1000005;)

IDS/IPS Evasion Technique Simulator

Packet Fragmentation

Split attack payload across multiple small packets to evade signature matching. IDS may not reassemble fragments.

Decoy Scanning

Generate traffic from multiple spoofed source IPs to hide the real attacker among noise.

Session Splicing

Insert time delays between packets to avoid pattern matching within IDS timeout windows.

Encoding (Unicode/Base64)

Obfuscate payload using various encoding schemes that application decodes but IDS doesn't recognize.

TTL Manipulation

Send packets with TTL values that expire before reaching target but after IDS, causing insertion attacks.

IDS DoS (Fail Open)

Overwhelm IDS with traffic to cause resource exhaustion, forcing it to fail open and stop inspecting.

Select an Evasion Technique

IDS
Status: Idle
Click a technique above to see the evasion simulation in action.
Mitigation Strategies:
  • Fragment reassembly: Reconstruct packets before inspection
  • Stream normalization: Standardize traffic before analysis
  • Protocol validation: Enforce RFC compliance
  • Anomaly detection: Baseline normal behavior, flag deviations
  • Multiple detection layers: Network + host-based + behavioral
  • Regular updates: Keep signatures and rules current
  • Proper tuning: Reduce false positives/negatives

Alert Classification Exercise

Classify each scenario as TP, FP, TN, or FN

TTL Manipulation Attack Simulator

TTL Attack Principle: By crafting packets with specific TTL values, an attacker can send packets that the IDS sees but the target doesn't (insertion), or that the target sees but the IDS doesn't (evasion).

Network Topology

Attacker
Router 1
TTL--
IDS
Router 2
TTL--
Target
How it works:
  • Insertion: Send packet with TTL=3. IDS at hop 3 sees it, but packet expires before reaching target at hop 5. IDS may false positive on benign follow-up traffic.
  • Evasion: Send malicious packet fragments with varying TTLs. Some expire at IDS, others reach target. Target reassembles attack, IDS sees incomplete benign data.
  • Defense: IDS should match exact network topology and TTL decrements, normalize streams

Firewall Rule Analyzer

Analyze firewall rules for security issues and optimization opportunities

Enter Firewall Rules (iptables format)

Analysis will appear here...

Rule Order Matters

Firewalls process rules top-to-bottom. Most specific rules should come first. A broad ACCEPT before specific DROPs makes drops ineffective.

Default Deny

Always end with a default DROP/REJECT rule. Whitelist approach is more secure than blacklist.

State Tracking

Use stateful rules (ESTABLISHED,RELATED) to allow return traffic without opening unnecessary inbound ports.

Logging

Log dropped packets for forensics and tuning, but rate-limit to prevent log flooding DoS.

Final Assessment Quiz

Test your knowledge of IDS/IPS and evasion techniques (12 questions)

Vault Navigation

Return to the Dark Arts vault to continue your training

Return to Dark Arts Vault