Installing Suricata IDS/IPS and Triggering Rules with an Nmap Stealth Scan and XSS Attack on bWAPP Using Burp Suite

By on

 


We are enabling the IDS/IPS functionality on our OPNsense firewall to detect and alert on potential threats by analyzing incoming traffic against predefined rules. These rules act as "fingerprints" to identify known attacks and suspicious behaviors across the network.

In this Lab, i will be using Suricata, a free and open-source cybersecurity tool that functions as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). Widely adopted by organizations worldwide, Suricata monitors networks for suspicious activity and detects cyber threats.

Suricata's rules analyze network packets for specific characteristics, such as source and destination IP addresses, ports, protocol types, and even packet content, to identify potential threats. When traffic matches a rule, Suricata generates an alert, notifying administrators of potential security incidents.

Based on my research, it is essential to disable offloading features before enabling the IDS/IPS capability on the OPNsense firewall or any IDS/IPS device. Offloading can alter packets in ways that may compromise Suricata's ability to analyze them accurately, potentially resulting in missed detections or false results.

To disable head over to Interfaces>Settings and uncheck the offload


Let’s proceed with enabling the IDS/IPS functionality by following the steps outlined below.









Let’s download FileZilla, which we will use to transfer the .xml file to our OPNsense firewall.



We will now create an XML file that instructs OPNsense to download the suricata-nmap.rules file from our Ubuntu host at 192.168.147.11.




For this example, I have created two Suricata rules:

  1. The first rule triggers an alert when a stealth Nmap scan is detected.
  2. The second rule triggers an alert upon detecting a <script> tag, which is commonly used to execute or facilitate XSS (Cross-Site Scripting) attacks.
1. Rule for Nmap scan detection



2. Rule for specific XSS scripting Attack




We will save the created rules in a .rules file as shown in the screenshot above. Additionally, I used a web-based Suricata rule generator to assist in creating these rules.

Next step we will transfer now the .xml file to our Opnsense firewall using filezilla.









Run a HTTP server from our Ubuntu Host




We see our created rule here and click Download & Update Rules







Head over to Rules and we can see it finally uploaded to our Opnsense



There are no alerts yet because we haven’t generated any traffic that could trigger these rules.




Now, let's head over to our Kali attack machine and initiate an Nmap scan targeting any host within our 192.168.147.0/24 subnet.


After generating the Nmap traffic, let's navigate to the alert tab in our OPNsense firewall. As we can see, it has triggered the Suricata rule related to the Nmap scan.

Now, let's attempt an attack on our bWAPP server by performing a basic XSS scripting attack using the <script> tag. And should trigger the suricata rule that we created for that kind of attack.

For this attack, we will use Burp Suite to target our bWAPP server.

Enabling the intercept under Proxy tab

Fill up the credentials and click Go button





The screenshot above shows the content of our POST request to the bWAPP server, including the credentials we entered. Now, we will modify the input fields to include the following XSS payloads: <script>alert("This_has_been_XSS!")</script> and <script>alert("XSS!")</script>.

Then let's hit the forward button to forward that traffic going to our bWAPP server.




This type of attack should trigger the Suricata rule we created. Let's head back to the alerts section to check the results.



To summarize, in this chapter, we enabled the IDS/IPS functionality on our OPNsense firewall. We created two Suricata rules: one to detect traffic related to a stealth Nmap scan and another to detect XSS scripting attacks on our bWAPP server, specifically using the <script> tag. We also demonstrated how to transfer the suricata.rules file to the OPNsense firewall using an XML file. If we need to add more rules in the future, we can simply edit the suricata.rules file. After making any changes, we need to enable the HTTP server on our Ubuntu host so that the OPNsense firewall can download and update the Suricata rules. 
Finally, we tested our detection rules by performing an Nmap scan from our Kali Linux machine and executing an XSS scripting attack using Burp Suite with the <script> tag.



"Blending years of Network Engineering with a passion for Cybersecurity."

Comments

Post a Comment

Popular posts from this blog

Deploying Sysmon on Windows and Integrating with Elasticsearch SIEM

By on
Image
  First, let's install Sysmon on our Windows host by opening this link in a browser and downloading it: Sysmon - Sysinternals | Microsoft Learn . As of this writing, the latest version of Sysmon is 15.5 Once the download is complete, go ahead and unzip the file. Sysmon configurations or rules are available on GitHub, with a well-known repository being SwiftOnSecurity's Sysmon config: 🔗 https://github.com/SwiftOnSecurity/sysmon-config We will download this configuration for our setup. We can place the downloaded configuration file in the same directory as Sysmon, then open PowerShell and follow the steps below. We can use net start to start Sysmon64, and it will list all services that start afterward. To further verify, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational , where you should see the corresponding event IDs. And now let's ingest Sysmon and Windows Defender logs into elasticsearch. Click the Add integ...
Read more

Boss of the SOC v1 (2015) Website Defacement

By on
Image
  Question #1 Based on the first question, the task is to identify the IP address of an individual conducting  reconnaissance using a scanning technique. I began my investigation with the search parameter  index=botv1, as provided in the instructions, and incorporated imreallynotbatman.com as  specified in question number 1. After running the search parameters, I identified the dest_header field in the left-side panel.  Upon expanding it, I analyzed the details within and discovered references to the Acunetix  Web Vulnerability Scanner, indicating its use in the reconnaissance activity. To enhance visibility and identify the IP address scanning the web server, I created a table that  included the fields src_ip, dest_ip, and dest_header. I then filtered the results by searching  for the keyword 'scan' within the dest_header field and applied a dedup command to the src_ip  field to remove duplicate entries, effectively narrowing down the source...
Read more