1. {elysiumsecurity}
Open Source IDS
How to use them as a powerful free
Defensive and Offensive tool
Version: 1.2w
Author: Sylvain Martinez
cyber protection & response
Classification: Public

2. {elysiumsecurity}
Agenda
• Introduction;
• Cyber Security Context;
• IDS Concept;
• Requirements for success;
• IDS Benefits;
• Something different…

3. {elysiumsecurity}
Who Am I?
https://www.elysiumsecurity.com

4. {elysiumsecurity}
Why Listen?
* If you already have a TAP setup
• Understand why you need an IDS;
• How everyone can get started with a free IDS;
• This dashboard in your home/company in less than 2h!*

5. {elysiumsecurity}
Today’s Cyber Security Risk Context
Cyber Security Risks’ probability and impact are increasing.
Their ability to disrupt companies business operation have
growing financial, reputational and legal negative consequences;
This overall diagram is copyright Elysiumsecurity LTD and can only be re-used if the source is referenced as: Sylvain Martinez, https://www.elysiumsecurity.com
Yesterday Tomorrow
100%
0%
TIME
GROWTH
Yesterday Tomorrow
100%
0%
TIME
GROWTH
Yesterday Tomorrow
100%
0%
TIME
GROWTH

6. {elysiumsecurity}
Cyber Security Puzzle
PREVENT DETECT RESPOND
• End Point Protection
• Policies
• DLP
• DRM
• SOC
• F/W
• IPS
• IDS • Incident Response
• Forensics
• DLP
• SIEM
• CERT
• Incident Management

7. {elysiumsecurity}
Importance of Detection
PREVENT DETECT RESPOND
DETECTION allows you to know there is a problem,
and that you need to do something!

8. {elysiumsecurity}
IDS? What IDS?
IDS
NIDS
HIDS
IPS
Signature Based
Behaviour Based
Pattern Based
Passive
Active

9. {elysiumsecurity}
FREE IDS
• Snort based engine;
• Suricata based engine;
• Suites of software available as VM:
- Security Onion (SO): https://securityonion.net/
- SELKS: https://www.stamus-networks.com/open-source/
• Great community is here to help;
• Authors are very active;
• Professional support available from them too;
• Various install guide available: https://www.elysiumsecurity.com/blog/Guides/post7.html

10. {elysiumsecurity}
cyber protection & response
DEFENSIVE
IDS

11. {elysiumsecurity}
Simplistic NIDS Concept
Guest WIFI
Users Servers
DMZ
IDS
Duplicated
Traffic
Duplicated
Traffic
INTERNET
Traffic
Analysis
Signatures
Patterns/
Behaviours
Security Alerts
Icons from VMWARE

12. {elysiumsecurity}
IDS Requirements for success
1. Traffic Visibility
2. Asset Inventory
3. Context
COVERAGE
TRACKING
TUNING

13. {elysiumsecurity}
Traffic Visibility
• TAP/Span port on key egress points
• Corporate Solutions
- Dedicated hardware
- Soft Config in most switch (Ubiquity Networks, CISCO...)
• Home Solutions:
- Netgear GS105E
- Mikrotik Router
NATting

14. {elysiumsecurity}
Asset Inventory
• IP/Asset inventory software
• - Network dedicated
• - Part of wider asset inventory
• Mac Address Fingerprinting
• Fixed IP
• Reserved DHCP
NATting

15. {elysiumsecurity}
Context
QUESTIONS
• Is that a false positive?
• Is that normal behaviour?
• Is the end point targeted critical?
• Is this a configuration issue?
• Have we seen this before?
• …
ANSWERS
• Network Topology knowledge;
• Asset owner knowledge;
• Application owner knowledge;
• Business analyst contact;
• Cyber Security knowledge.
• …

16. {elysiumsecurity}
IDS Defensive Benefits
• Alerts you of Cyber Security attacks;
• Alerts you of Cyber Security issues;
• Finds vulnerable hosts on your network;
• Finds vulnerable applications on your network;
• Monitors network flow behaviours;
• Monitors network ports activity;
• Monitors network traffic;
• Monitors file transfers;
• Establish network entity relationships;
• …

17. {elysiumsecurity}
IDS Actionable Information

18. {elysiumsecurity}
IDS Defensive Benefits - revisited
• Alerts you of Cyber Security attacks;
• Alerts you of Cyber Security issues;
• Finds vulnerable hosts on your network;
• Finds vulnerable applications on your network;
• Monitors network flow behaviours;
• Monitors network ports activity;
• Monitors network traffic;
• Monitors file transfers;
• Establish network entity relationships;
• …

19. {elysiumsecurity}
cyber protection & response
OFFENSIVE
IDS

20. {elysiumsecurity}
Simplistic NIDS Concept - Revisited
Guest WIFI
Users Servers
DMZ
IDS
Duplicated
Traffic
Duplicated
Traffic
INTERNET
Traffic
Analysis
Signatures
Patterns/
Behaviours
Security Alerts
Files
Passwords,…
Files
Extraction
PCAP Files
PCAP Files
PCAP Files
Icons from VMWARE

21. {elysiumsecurity}
IDS Requirements - Offensive
1. Traffic Capture
REPLAY
&
ANALYSIS
2. Asset Inventory
3. Context
TARGETING
PRIORITISATION

22. {elysiumsecurity}
Traffic Capture
• Physical Access required in most cases
• TAP traffic against key targets
• Powered/Unpowered solutions
• Dummy Capture Devices:
• - Small Router;
• - Throwing Star LAN;
• Intelligent Capture Devices:
• - Raspberry Pi;
• - Hak5 Packet Squirrel.
NO IMPACT

23. {elysiumsecurity}
IDS Offensive Benefits
• Speed up Network Traffic Analysis;
• Identify interesting timelines;
• Identify targets of interest;
• Identify vulnerabilities to exploit;
• Extract sensitive information;
• Profile users and applications;
• …

24. {elysiumsecurity}
Takeaway
• Free IDS available;
• Pre-configured and easy to deploy;
• Provide good defensive visibility and alerts;
• Provide good offensive capabilities;
• Instant returned value;
• Try one today!

25. {elysiumsecurity}
cyber protection & response
emailus@elysiumsecurity.com
THANK YOU
https://www.elysiumsecurity.com