Forensic Investigation of Nmap using Wireshark

Hello friends!! Today we are discussing about how to read hexadecimal bytes from an IP Packet that help a network admin to identify various types of NMAP scanning. But before moving ahead please read our previous both articles “Network packet forensic” and “NMAP scanning with Wirehsark” it will help you in better understanding of this article.

Requiremnt

Attacking tool: Namp

Analyis tool: wireshark

We are going to calculate hexadecimal bytes of wireshark using given below table and as we know wireshark capture network packet mainly of 4 layers which is describd below in table as per OSI layer model and TCP/IP layer model.

Let’s  start!!

NMAP ARP Scanning

Hopefully reader must be aware of basic NMAP scanning techniques if not then read it from here, now open the terminal and execute given below command which known as “HOST SCAN” to idenfiy live host in network.

nmap -sn 192.168.1.100

Nmap uses the –sP/-sn flag for host scans and broadcast ARP request packet to identify which IP is allocated to particular host machine. From given below image you can observe that “1 host up” message.

Working of ARP Scan for Live Host

         i.            Send ARP request for MAC address

       ii.            Receive MAC address though ARP Reply packet

Step to Identify NMAP ARP Scan

1. Collect Ethernet Header details

Here we used wireshark to capture the network packet coming from victim’s network and in order to analysis only ARP packet we have applied filter “ip.addr == VICTIM IP || arp” as shown in given below image. Here you will find 2 arp packets, basically the 1st arp packet is broadcasting IP for asking MAC address of that network and the 2nd packet is unicast contains Answer of IP query.

Now let’s read Hex value of Ethernet header for identifying source and destination Mac addresses along with that we can also enumerated the bytes used for encapsulated packet, in order to identifying Ether type is being used here.

There should’nt be any uncertainty in conercn with source Mac address who is responsible for sending packet but if we talk about Destination Mac address then we got ff:ff:ff:ff:ff:ff:ff which means exact Destination is machine is not available here. Further moving ahead we found Ether type 0x0806 highlighted in yellow color is used for ARP protocol.

Hence from Ethernet header we can conclude it as ARP broadcast packet asking for destination Mac address.

1. Collect ARP Header (Request/Reply)

In order to identify ARP scan you need to investigate some important parameters which could help a network admin to make correct assumption in concern of ARP scann.

Try to collect following details as given below:

·         Opcode (Request/Reply)

·         Source Mac

·         Source IP

·         Destination MAC

·         Destination IP 

Now with help of following table you can read the hex value highlighted in above and below image for ARP Request and Reply packets  respectively.

NMAP ICMP Scanning

Now execute given below command which known as “HOST SCAN” to identify live host in network by sending Ping request with the help of ICMP packet.

nmap -sn 192.168.1.100 –disable-arp-ping

Now above command will send ICMP request packet instead of ARP request for identifying live host in network.

Working of NMAP ICMP Ping when host is live:

         i.            Send ICMP echo request packet.

       ii.            Receive ICMP echo reply.

      iii.            Send TCP SYN packet on any TCP port (this port must be rarely blocked by network admin).

     iv.            Receive TCP RST-ACK from target’s Network.

As a result NMAP give “HOST UP” message as shown in given below image.

Step to Identify NMAP ICMP Scan

1.       Collect IP Header Details  for Protocol version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Since we know ICMP is Layer 3 protocol according to OSI model therefore we need to focus on following details for ICMP forensic with help of IP Header of a packet.

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (01 for ICMP)

·         Source IP

·         Destination IP

From given below image you can observe Hexadecimal information of IP header field and using given table you can study these value to obtain their original value.

The IP header length is always given in form of bit and here it is 5 bit which is also minimum IP header length and to make it 20 bytes multiple 5 with 4 i.e. 5*4 bytes =20 bytes.

1. Identify ICMP Message type  (Request /Reply)

Now we had discussed above according to Nmap ICMP scanning technique the 1st packet is should be ICMP echo request packet and 2nd packet is should be of ICMP echo reply packet.

Now with help of following table you can read hex vaule highlighted in above and below image for ICMP Request and Reply packets  respectively.

1. Identify TCP Flags

AS discussed above after ICMP reply, the 3rd packet should be of TCP-SYN packet and 4^th should be of TCP-RST/ACK.  We had seen in our previous article the hex value of all TCP-Flags are different from each other, so if we are talking for TCP-SYN flag then its Hex value should 0x02.

From given below table you can observe the sequence of TCP flag and how bits of these flag are set for sending packet to destination port.

For example if you found TCP SYN packet then the bit for SYN flag is set 1 for which the binary value will be 000000010 and its hexadecimal will be 0x02.

NS	CWR	ECE	URG	ACK	PSH	RST	SYN	FIN
0	0	0	0	0	0	0	1	0

Sometime you will get combination of two or more flag in TCP header, so in that scenario take the help of following table to read the Hex value of such packet to identify TCP flags bits are being set 1.

For example if you found TCP SYN/ACK packets then indicates that SYN & ACK flags are set 1 for which the binary value will be 000010010 and its hexadecimal will be 0x12

NS	CWR	ECE	URG	ACK	PSH	RST	SYN	FIN
0	0	0	0	1	0	0	1	0

Therefore I design below table to let you know more about of Hex value when  two or more than two flags are set 1.

The image given above contains the hex value of TCP-SYN packets and the image given below contains the hex value of TCP-RST/ACK packet from which we can calculate the source port and the destination port of the packet respectively like one given below.

Conclusion! So as stated above regarding the working of NMAP ICMP scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP ICMP scan for Network enumeration.

Default NMAP Scan (Stealth Scan)

Here we are going  with default scan method to enumerate “open”state of any specific port

nmap -p 80 192.168.1.100

Working of Default Scan for open port:

         i.            Send TCP-SYN packet

       ii.            Receive TCP-SYN/ACK

3. Send TCP-RST packet

It is also known as half Open TCP Scan as it does not send ACK packet after receive SYN/ACK packet .

Step to Identify NMAP Default Scan (Stealth Scan)

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (6 for TCP)

·         Source IP

·         Destination IP

From given below image you can observe Hexadecimal information of IP header field and using given table you can study these value to obtain their original value.

1. Analysis TCP Header  Details

Since from above image we had obtain Source and Destination IP and protocol used for communication i.e. TCP, now we need to identify source and Destination port and TCP Flag used for establishing connection between two system.

In image we have highlighted source port in “Light brown” color and destination port in “yellow color”, you can use given below table to read the hex value of given image.

So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12 indicates that TCP-SYN/ACK has been send from port 80.

Take the help given above table to read the hex vaule of given image. Hex value 12 for TCP flag is used for SYN + ACK as explained above,  and we get 0x12 by adding Hex value “ 0x02 of SYN” and “0x10 of ACK”. 

In the image given below we come to know that TCP-RST packet is used for sending Reset connection to Port 80.

Conclusion! So as declared above regarding the working of NMAP default scan or NMAP stealth scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

NMAP TCP Scan

Here we are going  with TCP scan to enumerate state of any specific port

nmap  -sT  -p 80 192.168.1.100

Working of Default Scan for open port:

         i.            Send TCP-SYN packet

       ii.            Receive TCP-SYN/ACK

3. Send TCP-ACK packet
4. Send TCP-RST/ACK packet

Step to Identify NMAP TCP Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect following details as given below:

·         Ip header length 20 bytes (5bits*4=20 bytes)

·         Protocol (06 for TCP)

·         Source IP

·         Destination IP

It is quite similar as NMAP stealth Scan and using given table you can study these values to obtain their original value.

1. Analysis TCP Header  Details

NMAP TCP Scan follow 3 way handshak of TCP connection for enumeration open port. Identfying source and destination port along with Flag hex value (TCP-SYN) is similar as above.

So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12 indicates that TCP-SYN/ACK has been send via port 80.

The only difference between Stealth Scan and TCP scan is that here packet of ACK flag is send by source machine who intiate the TCP communication.  Again we read next packet then here we found hex value 0x10 indicates that TCP- ACK has been send via port 80.

Conclusion! So as stated above regarding the working of NMAP TCP scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

NOTE:  For  packet TCP-RST/ACK the hex value will be “ 0x14” send by the attacker machine

NMAP FIN Scan

Here we are going  with TCP-FIN scan to enumerate “OPEN” state of a particular port in any Linux based system therfore excute given below command.

nmap  -sF  -p 22 192.168.1.104

Working of FIN Scan for open port: Send  2 packets of TCP-FIN on a specific port

FIN is part TCP flag and NMAP used FIN flag to intiat TCP communication instead of following three way handshak communication.

Step to Identify NMAP FIN Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (06 for TCP)

·         Source IP

·         Destination IP

It is quite similar as NMAP above Scan and using given below table you can study these values to obtain their original value.

1. Analysis TCP Header  Details

Now lets Identfying source and destination port along with Flag hex value (TCP-FIN) is similar as above.

So through given below image and with help of table we came to know that here TCP-FIN packet is used for sending connection request on Port 22.

Conclusion! So as declared above regarding the working of NMAP FIN scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP FIN scan for Network enumeration.

NOTE:  If  you found 1st FIN packet (0x01) and 2^nd RST packet (0x04) then indicates “Closed Port” on tagered network.

NMAP NULL Scan

Here we are going  with TCP Null scan to enumerate “OPEN” state of any specific port in any Linux based system.

nmap  -sN  -p 22 192.168.1.104

Working of Null Scan for open port: Send  2 packets of TCP-NONE on specific port

Here NMAP used NONE flag  (No flag) to initiate TCP communication and bit of each flag is set “0”instead of following three-way handshake communication.

Step to Identify NMAP Null Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (06 for TCP)

·         Source IP

·         Destination IP

It is quite similar as NMAP above Scan and using given table you can study these values to obtain their original value.

1. Analysis TCP Header  Details

Now lets Identfying source and destination port along with Flag hex value (TCP-NONE) is similar as above.

So through given below image and with help of table we come to know that here TCP-NONE packet is used for sending connection request on Port 22.

Conclusion! So as stated above regarding the working of NMAP NONE scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that someone has Chosen NMAP NONE scan for Network enumeration.

NOTE:  If  you found 1st NONE packet (0x00) and 2^nd RST packet (0x04) then indicates “Closed Port” on tagered network.

NMAP XMAS Scan

Here we are going with XMAS scan to enumerate “OPEN” state of any specific port in any Linux based system

nmap  -sX  -p 22 192.168.1.104

Working of XMAS Scan for open port: Send 2 packets of TCP Flags in combination of FIN, PSH, URG on specific port.

Here NMAP used 3 TCP flags (FIN, PSH, and URG) to initiate TCP communication and bit of each flag is set “1”instead of following three way handshake communications.

Step to Identify NMAP XMAS Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (06 for TCP)

·         Source IP

·         Destination IP

It is quite similar as NMAP above Scan and using given table you can study these values to obtain their original value.

1. Analysis TCP Header  Details

Now lets Identfying source and destination port along with Flag hex value (TCP-XMAS) is similar as above.

So through given below image and with help of table we come to know that here TCP flags {FIN,PSH,URG} packet is used for sending connection request on Port 22.

Conclusion! So as stated above regarding the working of NMAP XMAS scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that someone has Choose NMAP XMAS scanned for Network enumeration.

NOTE: 

·         If you found 1st {FIN, PSH, URG} packet (0x29) and 2nd RST packet (0x04) then indicates “Closed Port” on targeted network.

·         NMAP FIN, NMAP NULL and NMAP XMAS scan are only applicable on Linux based system

NMAP UDP Scan

Here we are going  with XMAS scan to enumerate state of any specific port in any Linux based system

nmap  -sU  -p 68 192.168.1.104

Working of XMAS Scan for open port: Send  2 packets of UDP on specific port

It is quite different from TCP communication process because here no Flag are used for establishing connection or initiate connection request with target’s network.

Step to Identify NMAP UDP Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)  

·         Protocol (11 for UDP)

·         Source IP

·         Destination IP

It is quite similar as NMAP above Scan as “IP header” and “Ethernet header” information will be same either is TCP communication or UDP communication and using given table you can study these values to obtain their original value.

Basically 11 is hex value use for UDP protocol which is quite useful in identify NMAP UDP scan from remanding scanning method.

1. Analysis UDP Header  Details

Now lets Identfying source and destination port a as done above inTCP Scanning.

Conclusion! Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP UDP scan for Network enumeration.

NOTE:  If  you found 1st UDP packet and 2^nd UDP with ICMP Message Port is unreachable then indicates “Closed Port” on tagered network.

Post Exploitation in Windows using dir Command

In this article you will learn how to use Windows Command Line Command “dir” and extract files, get information about Number of files of a particular extension and much more using Metasploit framework. 

dir Command: It displays a list of a directory's files and subdirectories.

Syntax

dir [:] [] [] [/p] [/q] [/a [[:] ]] [/s] [/b]

[/p]: Displays one screen of the listing at a time.

[/q]: Displays file ownership information.

[/s]: Lists every occurrence of the specified file name within the specified directory and all subdirectories.

[/b]: Displays a bare list of directories and files, with no additional information.

[/a]: Attributes (Additional Options).

It is usually attached with options such as

[/ad]:  Directories

[/ah]:  Hidden files

[/as]:  System files

[/a-attribute]: Not (It is used when opposite of the attribute is to be obtained)

Now to use dir for Post Exploitation, we will need an Administrator Privileged shell, which can be found here.

Now we will use different combinations of the attributes and parameters to extract data from victim’s system.

Find Directories using a search string

Here, we are using following options with dir command:

[/b] to get a bare search,

[/s] to get a verbose result,

[/ad] to get the list of directories,

Containing string *sales* in their name.

Syntax: dir /b /s /ad [directory]\*string*

Example:  dir /b /s /ad d:\*sales*

Find the Number of Files/Directories in a Directory

If we need the Number of files, i.e. no. of files we have to add find command by piping [|] it with dir.

 Example: dir /b | find /c /v “”

Here [/b] to get a bare search and [/c] switch tells the find tool to Number how many lines contain your search terms, and [/v] switch will show any lines that don’t contain the string of words which you have specified in this case “”. As a file name cannot be nothing (“”) so it will Number all the file names.

Here, we are using

Above command return number of files in the Directory you are currently in. In my case it returns 22, which means victim has 22 files in his D:\ directory.

Find the Number of files

Here, we are using

Example: dir /b /s /a-d d:\*sales* | find /c /v “”

[/ad] is for Directories.

[-] is used as NOT so [/a-d] is for not directories i.e. files

Also find /c /v “” is used to get the Number. From given below image you can observe here it found 5 files inside sales folder.

Find the Number of directories

Syntax: dir /b /s /ad [directory]\*string* | find /c /v “”

Example: dir /b /s /ad d:\*sales* | find /c /v ””

Here we need to get the Number of directories named *sales* It can be anything mentioned in *string*.

[/ad] is for Directories

Here find /c /v ”” is used to get a Number and from given below image you can observe here it found 5 subdirectories inside sales folder.

Find Files of a particular extension

In the given example, I searched for .xlsx files which are MS-Excel Files, but we can use it for any extension file like pdf, png, exe, docs etc.

Syntax: dir /b /s [directory]\*extension*

Example: dir /b /s d:\*.xlsx*

From given below image you can read name of excel files inside D: drive.

Find the Number of Files of a particular Extension

If we add find /c /v”” we will get the Number of files of a particular extension as shown below.

Example: dir /b /s d:\*.xlsx* | find /c /v “”

 From given below image you can observe here it found 4 excel files inside D: drive.

Find the Number of Hidden Files/Directories

To get hidden files we will use the attribute [/ah].

And when combined with find /c /v “”, we will get the Number of the hidden files/directories in the given directory as shown below.

Syntax: dir /b /ah [directory] | find /c /v “”

Example: dir /b /ah d:\ | find /c /v “”

From given below image you can observe here it found 3 hidden files inside D: drive.

Find the Hidden Files/Directories in a Directory

To view the Hidden Files in the give directory we will use attribute [/ah] with [/b] to get a bare result of the hidden files.

Syntax: dir /b /ah [directory]

Example: dir /b /ah d:\

From given below image you can read name of hidden files inside D: drive.

Find the System Files Stored in a Directory

To get the System Files we will use another attribute which is [/as], combined with [/b] it will give the names of the system files stored in the given directory.

Example: dir /b /as d:\

From given below image you can read name of system files inside D: drive.

Forensic Data Carving using Foremost

Foremost is a program that is used to carve data from disk image files, it is an extremely useful tool and very easy to use.

For the purpose of this article we have used an Ubuntu disk image file and the process has been repeated twice. The purpose of doing so was to see if Foremost can carve data out of incomplete disk images as well. We have used Kali Linux but if you want you can install Foremost on pretty much any distro of Linux.

Here’s how it was done:

Navigate to the Applications menu in Kali, Forensics is option 11. The fifth option from top in the Forensics menu is Foremost. Click on it and let’s get to carving some data!!

Foremost starts and shows you the options you have at your disposal.

In order to keep things simple, you first want to navigate to the Desktop using “cd Desktop”.

Next, make a folder on the desktop by the name of “recov”. This isn’t a mandatory step, it just makes things easier to access by making a new folder where the carved data will be stored.

We will be dealing with the disk image of a flash drive partition, so let’s make one using the “dd” command. The dd command can be used to copy files and with the option of converting the data format in the process.

In the interest of thoroughness we have copied .docx, .jpeg, .png, .zip, .pdf and .avi files onto the partition from which we will be making our disk image.

Now let’s make a disk image.

In a new terminal window, type the following “fdisk –l | grep /dev/”. This command will show you the disk partitions available to you without any clutter.

The partition we are concerned with is /dev/sbd2, this was specially allocated 10 MB of space so that the imaging process is quick.

The command to create the disk image is “dd if=/dev/sdb2 of=disk.img”. Here, “dd” is the utility we are using, “if=” is to denote the input destination and “of=” is to denote the output destination and name of the image file we are creating.

We have not specified any output destination, but, just the name for the image file. The image file will be created in the Home directory by default. Copy the disk image file from here and place it on the desktop.

Let’s navigate back to the terminal where we have Foremost running and start the file carving process.

This disk image file will be carved for .jpeg, .png, .zip, .pdf and .avi  file formats. We will not be instructing Foremost to carve the .docx but, since one exists in the .zip we have placed inside the disk image, it will do so automatically.

Type the following “foremost -t jpeg,png,zip,pdf,avi -i disk.img -o recov –v”.

To break this down “-t” is setting the file types we want to carve out of the disk image, here those are .jpeg and .png.

“-i” is specifying the input file, the "disk.img” that is placed on the desktop.

“-o” is telling Foremost where we want the carved files to be stored, for that we have the “recov” folder on the desktop that we made earlier.

“-v” is to tell Foremost to log all the messages that appear on screen as the file is being carved into a text file in the output folder (recov) as an audit report.

That’s all it takes for Foremost to start digging into the disk image. The process looks like this.

Once Foremost is done carving the disk image, it shows you the result: that’s is, how many of which file types have been carved. All It took was a second, to get the job done.

Now open the output (recov) folder and you will see an audit report and six folders which will be named by the file types we invoked Foremost to carve for us.

First, the audit report. It shows us the particulars of the scan, which file types were carved, from which image file, the size of the image file, where it was located, where the output folder was located, etc. Let’s have a look.

The end of the report contains shows the total files extracted with more particulars.

We will open one file from the jpg folder to see what we have.

One from the png folder.

Inside the docx folder.

Inside the pdf folder. 

Now the avi folder

And finally the zip folder.

As you can see, Foremost was successfully able to carve files out of the disk image file and give us the results. Let’s put it to the test.

This a very interesting tool and its simplicity is what makes it stand out.

The only issue I could see with this is that the file names are not recovered, which can make the search process very tedious unless the option of automation and a frame of reference are available.

That being said, in forensics, just being able recover the files without opening or extracting disk image itself is a huge advantage, the reason for saying so is that, if you do extract or open the disk image you never know what might be waiting for you inside, this way you have more control over the entire investigation process. Enjoy using this tool.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

How to Configure Suricata IDS in Ubuntu

Suricata is developed by the Open Information Security Foundation. Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Features

IDS / IPS

Suricata implements a complete signature language to match on known threats, policy violations and malicious behaviour. Suricata will also detect many anomalies in the traffic it inspects. Suricata is capable of using the specialized Emerging Threats Suricata ruleset and the VRT ruleset.

High Performance

A single Suricata instance is capable of inspecting multi-gigabit traffic. The engine is built around a multi threaded, modern, clean and highly scalable code base. There is native support for hardware acceleration from several vendors and through PF_RING and AF_PACKET.

Automatic protocol detection

Suricata will automatically detect protocols such as HTTP on any port and apply the proper detection and logging logic. This greatly helps with finding malware and CnC channels.

NSM: More than an IDS

Suricata can log HTTP requests, log and store TLS certificates, extract files from flows and store them to disk. The full pcap capture support allows easy analysis. All this makes Suricata a powerful engine for your Network Security Monitoring (NSM) ecosystem.

From: https://suricata-ids.org/

Lets Begin!!

We had chosen ubuntu operating system for installation and configuration of suricata. Earlier than installing suricata in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites by a making update.

apt-get update

It is an easiest way to install and configure the suricata in your system because it’s entire requirement whether it is suricata rules directory or logging directory every packages is are stored by apt repository. Enter given below command to begin the suricata installations. 

apt-get install suricata -y

Now we need to create an empty text document file for our local rules inside rule folder of suricata

touch /etc/suricata/rules/local.rules

After then open the configuration file using gedit for making some changes inside.

gedit /etc/suricata/suricata-debian.yaml

The two most important steps we need to perform here:

1.       Comment all others available file of rules so that only yours local rule file will be in priority.

2.       Mention the local.rules under the rule files list.

Now add the network CIDR for which IDS will filter the incoming and outgoing traffic as shown in given below image.

Here we had set HOME_NET 192.168.1.0/24

Now open the local rule file to add your own network filtering rules in side it

gedit /etc/suricata/rules/local.rules

Now if you are not much aware about its rule configuration then you need not to be worry about it because implementing rule in suricata is as similar as in snort. For help open this Link to get details of IDS rule implementation.

alert icmp any any -> 192.168.1.111 any (msg: “ICMP detected”; sid:10000001;)

The above rule will generate an alert when found any network IP sending ICMP packets in our network by pinging IP 192.168.1.111.

Now execute following command to make GRO (Generic receive offload) disable on specific interfaces with help of Ethtool.

ethtool -K ens33 gro off

Then again turn On NIDS mode of surictata using given below command.

suricata -c /etc/suricata/suricata-debian.yaml -i ens33

Now let’s ping the IP: 192.168.1.111 from another system to test whether our NIDS will generate alert for ICMP packet or not. From given image you can read the command: ping 192.168.1.111 where you can observe it has sent 3 ICMP request packets.  

Basically suricata alert logs are generated under var/log and you can use given below command to read the captured logs.

tail -f /var/log/suricata/

As result suricata with NIDS mode had capture only 3 ICMP packets from IP 192.168.1.102 which you can observe from given below image that generated alert for “ICMP Detected”, this happens because in above rule we had applied “->”one-directional operators which mean it will only capture traffic coming from source IP to destination IP.

Here you can perceive that both two packets of ICMP is coming from 192.168.1.102 to 192.168.1.111 which means it has only captured ICMP Echo-request packets form source IP.