Intrusion Detection Fundamentals
Before deploying tools, we must understand the strategy. Network defense relies on visibility (IDS) and enforcement (IPS), utilizing two distinct "brains" for detection: Signatures and Anomalies. Explore the cards below to understand the differences.
Role Definition
The Security Camera
An Intrusion Detection System is a visibility tool. It connects to a SPAN port or TAP and passively watches copies of traffic.
- ✅ Passive Monitoring
- ✅ No impact on network latency
- ⚠️ Cannot stop attacks, only alert
Detection Logic
Pattern Matching
Compares traffic against a database of known threats (like Antivirus).
Pros: Fast, Low False Positives
Cons: Blind to Zero-Days
The Security Onion Architecture
Security Onion is a Linux distribution that acts as the "glue" for three critical open-source tools. Each tool provides a different "peel" or layer of visibility. Click the components below to explore their roles.
Suricata
🚨The NIDS Engine.
Zeek
📝The Network Flight Recorder.
Stenographer
📼The Packet DVR.
Simulation Lab
Step into the shoes of a Sysadmin. Select a scenario from the dropdown to begin a virtual investigation. Analyze the simulated data and discover the correct Security Onion tool for the job.
...
...
Network Telemetry
Code Vault
A repository of the Python, Bash, and PowerShell scripts referenced in the lecture modules. These scripts demonstrate how to programmatically interact with logs and define detection logic.
Python: Brute Force Detection Logic
simulation# Task: Detect high-frequency login failures (Brute Force simulation)
import time
from collections import defaultdict
THRESHOLD = 5
WINDOW = 10
network_events = [
(time.time(), "192.168.1.50", "192.168.1.100", "LOGIN_FAIL"),
# ... more events
]
ip_tracker = defaultdict(int)
for event in network_events:
timestamp, src_ip, dest_ip, event_type = event
if event_type == "LOGIN_FAIL":
ip_tracker[src_ip] += 1
if ip_tracker[src_ip] > THRESHOLD:
print(f"ALERT: Potential Brute Force detected from {src_ip}")Suricata: TeamViewer Detection Rule
signature# Task: Create a Suricata rule to detect TeamViewer traffic.
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY VIOLATION - TeamViewer DNS Request"; content:"teamviewer.com"; nocase; classtype:policy-violation; sid:1000001; rev:1;)Bash: Parsing Zeek Logs
analysis# Task: Manually parse Zeek logs to find the top bandwidth consumers
ZEEK_LOG="/nsm/zeek/logs/current/conn.log"
cat $ZEEK_LOG | \
zeek-cut id.orig_h id.resp_h orig_bytes | \
sort | \
uniq -c | \
sort -nr | \
head -n 10