IDS (Intrusion Detection Systems)

What is an intrusion detection system?

It is held between the local area network and the firewall. We want to protect our LAN as best as we can. So having this put in place allows us to set up alerts for anything we deem to be a security risk

To further show this, I am using a VM with SQUIL. SQUIL is a network security tool that runs IDS alerts.

I was also using a Kali Linux machine as the attacker!

I ran a PING on the host / Target

In the IDS I was able to see it as an alert.

*ignore all the extremely alarming event messages! The exercise is set up to present this.

And as you can see, we see the event that happened, When it happened, the source IP, Destination IP, and the Port it happened on. The source port and the destination port! 

A ping request is alarming. But a nmap scan is very alarming! nmap is a network mapping tool and it shows the requester what ports are open on the host it is scanning. 

Those darn hackers are always running nmap scans! 

A nmap scan scans a target host looking for open ports. As an attacker, knowing if a port is open determines what services are being used on them and possible points of entry into a server/network/host. 

How can we tell this is a nmap scan, by looking at the alerts? 

Look at the ports! see the sending port? It is the same for several alerts labeled as suspicious scans. We can view this and see matching IP addresses for all of these. Needless to say, one device scanned all those ports. 

The IDS setting determines what ports will cause an alert!

These were low/mid-level alerts! But A DoS attack is very bad to any network! 

A DoS attack is a denial of service attack. 

I used the KALI machine and sent thousands of data packets to the target. The target received all of them and this rendered the host useless as it was overwhelmed with the packets.

Here, you can see the IDS catching it all!

As a security admin, we see this (alerted) and we immediately get to work! :)