> For the complete documentation index, see [llms.txt](https://walterdrake.gitbook.io/mysite/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://walterdrake.gitbook.io/mysite/project/implemented-snort-misp-cowrie-and-machine-learning-to-bolster-network-security.md).

# Implemented Snort, MISP, Cowrie, and Machine Learning to bolster network security

## Introduction

Our team project focuses on deploying an IDS/IPS system to prevent simulated attack scenarios, acquiring new Indicators of Compromise (IOCs) related to malware, utilizing honeypots to detect attackers' intentions, and leveraging machine learning to identify botnets.

## Objective

Our primary objective is to implement this system in real-world scenarios effectively. The key components of our approach are:

* **Snort:** Used to detect and prevent Distributed Denial of Service (DDoS) attacks.
* **MISP:** Facilitates the acquisition and sharing of Indicators of Compromise (IOCs).
* **Cowrie:** Deployed as a honeypot to monitor and analyze attacker behavior.
* **Machine Learning:** Utilized to identify and detect botnets with greater accuracy.

## Implement

### Network Architect

<figure><img src="/files/tOBHDqwF8CJh6aYvIowO" alt=""><figcaption><p>Components</p></figcaption></figure>

### Configure VMWare

Our setup includes two VMware instances: one serves as the attacker, running Kali Linux, and the other is an Ubuntu Server hosting Snort, MISP, and Cowrie. Due to resource limitations, we simulate DoS attacks rather than full-scale DDoS attacks. Both systems are configured within the same local area network (LAN) using the IP range `10.81.1.0/24`.

### Stack

**Snort**

Snort version 3.6.0.0 is used for intrusion detection and prevention. It monitors network traffic for potential threats, such as DoS attacks, and provides real-time alerts for suspicious activities.

**MISP**

MISP is deployed using Docker, offering a platform for collecting, storing, and sharing Indicators of Compromise (IOCs). It helps streamline the process of threat intelligence management and enhances collaboration in the security community.

#### **Cowrie**

Cowrie is set up as a honeypot to simulate a vulnerable system and observe attacker behavior. By capturing and analyzing attack patterns, it provides insights into attacker tactics, techniques, and procedures.

#### **Machine Learning**

A machine learning model is employed to detect botnet activity by analyzing network traffic. The model improves accuracy in identifying anomalous behaviors associated with botnets, offering an additional layer of security detection.

{% hint style="info" %}
For the installation and setup of all components, detailed instructions are available in the resource section.
{% endhint %}

## Deploy the scenarios

### Summary

#### Snort

We run Snort in inline mode using the command:

```
sudo snort -c snort.lua -v -Q --daq afpacket -i ens34:ens33 -A alert_fast -s 65535 -k none
```

{% hint style="info" %}
The command runs Snort with a custom configuration (`snort.lua`) in verbose mode, using the afpacket DAQ method to capture packets on specified interfaces (`ens34:ens33`). It generates fast alerts (`alert_fast`), captures full packet sizes (`-s 65535`), and disables checksum validation (`-k none`)
{% endhint %}

In the `snort.lua` configuration file, we define various variables and include specific rules to apply to the system. More details on these settings will be provided when discussing them further.

<figure><img src="/files/3fD3EJXg3O8svWpNH9Lh" alt=""><figcaption><p>Variables</p></figcaption></figure>

<figure><img src="/files/QMB7ao07HuXpOkXOO2EG" alt=""><figcaption><p>Rules</p></figcaption></figure>

#### MISP

We use Docker to deploy and run the MISP instance, ensuring a streamlined and efficient setup process.

<figure><img src="/files/WngOfBAHrblHdJ1uKsF9" alt=""><figcaption><p>Run docker</p></figcaption></figure>

In this setup, we utilize only three feeds as examples to demonstrate MISP's functionality.

<figure><img src="/files/39Nbxiw201HuAlqbbiQ4" alt=""><figcaption><p>Feeds</p></figcaption></figure>

To perform specific actions, we use MISP OpenAPI to interact with the MISP instance and write Python scripts for automation. These scripts are available in my GitHub repository, which is linked in the resource section.

#### Cowrie

We followed a tutorial to set up Cowrie and adjusted the script to align with our specific objectives. This configuration allows Cowrie to not only detect and log intentional attack attempts but also block them before the attackers can execute their actions.

#### Machine Learning

We followed the methodology outlined in the paper "[Botnet Detection](https://github.com/harvardnlp/botnet-detection/tree/master)" to implement machine learning techniques for detecting botnet activity. This approach involves analyzing network traffic patterns to identify potential botnet behavior.

### Simulating DoS Attacks&#x20;

#### Rule

We have created two rules for detecting ICMP flood and SYN flood attacks, which are included in the `ddos.rules` file.&#x20;

* ICMP flood

```
alert icmp any any -> $HOME_NET any (msg:"ICMP flood"; sid:1000001; rev:1; gid:1; classtype:icmp-event; detection_filter: track by_dst, count 500, seconds 5;)
```

{% hint style="info" %}
This rule detects ICMP flood attacks by monitoring traffic and triggering an alert if 500 ICMP packets are received within 5 seconds to a single destination.
{% endhint %}

* SYN flood

```
alert tcp any any -> $HOME_NET $HTTP_PORTS (flags: *SR; msg:"Possible DoS Attack Type : SYN flood"; flow:stateless; sid:1000002; detection_filter: track by_dst, count 20, seconds 5; rev:1; gid:1;)// Some code
```

{% hint style="info" %}
This rule identifies potential SYN flood attacks by looking for 20 TCP packets with SYN and/or RST flags set, targeting HTTP ports within 5 seconds to a single destination.
{% endhint %}

#### Alert

We use Kali Linux to launch attacks with `hping3/ping` and observe the alerts generated by Snort.

* ICMP Flood

<figure><img src="/files/fKENMsap3zKBkEoiw0d0" alt=""><figcaption><p>Attack</p></figcaption></figure>

<figure><img src="/files/zff9gEHXkBZVsbmsELdM" alt=""><figcaption><p>Alerts</p></figcaption></figure>

* SYN Flood

We host a server using Python to simulate a DoS attack on the web server.

<figure><img src="/files/pW19uDV2KkL5bbrUyODU" alt=""><figcaption><p>Host Web site</p></figcaption></figure>

<figure><img src="/files/WcIqtINGUsbFxxY0Vae5" alt=""><figcaption><p>Web site</p></figcaption></figure>

<figure><img src="/files/xtYjWodn5beTSXAIT5WA" alt=""><figcaption><p>Attack</p></figcaption></figure>

<figure><img src="/files/NHUMJtOBmxWDqBJcMiXW" alt=""><figcaption><p>Alerts</p></figcaption></figure>

#### Prevent

To prevent attacks, we use the `rate_filter` in the `snort.lua` file, which changes the action from generating an alert to dropping the malicious traffic.

<figure><img src="/files/6qM9ZfkA8yfBUcjyUDab" alt=""><figcaption><p>Change actions</p></figcaption></figure>

<figure><img src="/files/na9vrINUqUWCDoMe7GmQ" alt=""><figcaption><p>Drop ICMP packets</p></figcaption></figure>

<figure><img src="/files/XWAsI1Sc8LD8agDzy1vi" alt=""><figcaption><p>Drop SYN packets</p></figcaption></figure>

{% hint style="warning" %}
Although we followed the documentation, the `drop` action in Snort is supposed to drop malicious packets. However, in our case, it still appears that Snort only notifies the action as "drop" without actually dropping the packets. When we check using Wireshark, we can still see replies from the server.
{% endhint %}

### MISP: Acquiring IOCs

#### Fetch feeds

To automate the updating of newly acquired IOCs from enabled feeds, we set up a cron job using the crontab tool.

```
0 1 * * * /usr/bin/curl -XPOST --insecure --header "Authorization: APIKEY" --header "Accept: application/json" --header "Content-Type: application/json" https://localhost/feeds/fetchFromAllFeeds
```

{% hint style="info" %}
The cron job runs daily at 1:00 AM and uses `curl` to send a POST request to the MISP instance's API endpoint (`/feeds/fetchFromAllFeeds`). It includes the necessary headers, such as the API key, to fetch updates from all enabled feeds securely.
{% endhint %}

#### Download rules

To export rules for Snort, we developed a Python script that uses MISP OpenAPI to retrieve and save the rules locally. The script also preprocesses the rule syntax to ensure compatibility with Snort.

<figure><img src="/files/7X0Y7QUPJUcZ4OqPD3M0" alt=""><figcaption><p>Run script</p></figcaption></figure>

I also created a crontab to automate this process, ensuring that the Python script runs at scheduled intervals to export and preprocess the Snort rules automatically.

```
30 2 */2 * * sudo python3 ~/script/down_rule.py
```

{% hint style="info" %}
The crontab runs every two days at 2:30 AM, executing the Python script (`down_rule.py`) with `sudo` to download and preprocess the Snort rules automatically.
{% endhint %}

#### Export rules

To manage the rules added to Snort, we created a script that compares the currently applied rules with any updated rules, ensuring that changes are properly tracked and implemented.

<figure><img src="/files/1jpL70OdIUmwLbzPrGw7" alt=""><figcaption><p>Export rules.</p></figcaption></figure>

<figure><img src="/files/KHitBlRUFKeSpnayDzEf" alt=""><figcaption><p>Rules MISP</p></figcaption></figure>

### Cowrie: Detecting Intentional Attacks

We use Nmap to scan for open ports, mimicking the behavior of an attacker to observe how Cowrie detects and logs these scanning attempts.

<figure><img src="/files/xj8KCXblf9dIZIqPuJWs" alt=""><figcaption><p>Scan</p></figcaption></figure>

After performing the port scan, we connect to the honeypot and check the logs to analyze the attacker's behavior and ensure that Cowrie is accurately logging and detecting the activities.

<figure><img src="/files/g2aqpNwwzpQcM9ZTXsTh" alt=""><figcaption><p>SSH</p></figcaption></figure>

Upon checking the logs, we can see that a shell was opened, indicating that the attacker successfully interacted with the honeypot, allowing us to analyze their actions.

<figure><img src="/files/qdqbiZUmnsEDnyOlGxQk" alt=""><figcaption><p>Log file</p></figcaption></figure>

#### Export rules:

To extract the IP addresses of attackers, we created a script that reads the `cowrie.json` file and identifies the IPs associated with the `cowrie.session.connect` event ID, which logs the connection attempts by the attackers.

<figure><img src="/files/AA7bveYY6ZvspjyptRUK" alt=""><figcaption><p>Json file</p></figcaption></figure>

<figure><img src="/files/bLPeiesMbiOmtMmSqQEw" alt=""><figcaption><p>Export rule</p></figcaption></figure>

<figure><img src="/files/vXVzwjCh0ikeHcbxYYrt" alt=""><figcaption><p>Rule file</p></figcaption></figure>

<details>

<summary>Contribution</summary>

[azhlm](https://github.com/azhlm)

</details>

### Machine Learning

Traditional rule-based methods often fail to detect coordinated attacks, such as botnets, as they cannot analyze the relationships between multiple requests. Similarly, simple machine learning models that assess individual requests may perform well on controlled datasets but struggle in real-world scenarios. Effective detection requires analyzing a host's behavior within the context of larger request snapshots, ranging from 1,000 to 10,000 requests.

Graph Neural Networks (GNNs) and Graph Attention Networks (GATs) are highly effective in this context, as they capture the relational structure and dependencies within the network. This capability enables them to deliver superior performance when applied to real-world systems.

#### Key Benefits

* **Relational Insights:** GAT effectively captures host interactions within a request snapshot, enabling the identification of coordinated botnet behavior.
* **Focused Detection:** The attention mechanism emphasizes critical connections that are indicative of potential attacks, improving detection accuracy.

<div align="left"><figure><img src="/files/7P2R4UPCa8axo720Hyjp" alt="" width="375"><figcaption><p>A graph plot depicting a normal network during a centralized botnet attack.</p></figcaption></figure> <figure><img src="/files/tZFHEbN2wn4LsaylFiLP" alt="" width="375"><figcaption><p>A graph plot depicting a normal network during a centralized botnet attack.</p></figcaption></figure></div>

<div align="left"><figure><img src="/files/4yjylrZyDo7FwxCjGGTm" alt="" width="375"><figcaption><p>A graph plot illustrating the network after the model predicts botnet activity.</p></figcaption></figure> <figure><img src="/files/Shb4Z1zwDJVtCClCGDHu" alt="" width="375"><figcaption><p>A graph plot illustrating the network after the model predicts botnet activity.</p></figcaption></figure></div>

<details>

<summary>Contribution</summary>

[F1xedbot](https://github.com/F1xedbot)

</details>

### Additional

We integrated the OpenAppID module with Snort to improve application detection by analyzing traffic patterns. OpenAppID helps Snort identify and categorize applications, allowing for more precise detection of threats based on specific application behaviors, enhancing overall network security.

```
alert tcp any any -> any any ( msg:"Google Detected"; appids:"Google"; sid:1000006; metadata:policy security-ips alert; )
```

<figure><img src="/files/HcQAUACc70e729CWz4P1" alt=""><figcaption><p>snort.lua</p></figcaption></figure>

<figure><img src="/files/4VLrqGOPPAvVWiyEIz3m" alt=""><figcaption><p>Detecting with AppID</p></figcaption></figure>

{% hint style="warning" %}
When applying AppID in rules, Snort should operate in passive mode, focusing solely on detecting and identifying application traffic without actively blocking it.
{% endhint %}

## Resources

{% hint style="success" %}
**Snort**

* [Snort 3 (IPS) - Installation, Configuration and creating Local Rules](https://www.youtube.com/watch?v=5eB4SnT7dtg)
* [How to Install & Configure Snort on Ubuntu Linux?](https://www.zenarmor.com/docs/linux-tutorials/how-to-install-and-configure-snort-on-ubuntu-linux)
* [Snort 3 Rule Writing Guide](https://docs.snort.org/welcome#snort-3-rule-writing-guide)

**MISP**

* [MISP - User Guide A Threat Sharing Platform](https://www.circl.lu/doc/misp/)
* [MISP Automation API](https://www.misp-project.org/openapi/)

**Cowrie**

* [Setup a honeypot and catch hackers for FREE | cowrie tutorial](https://www.youtube.com/watch?v=jo-eaptc9Bw)
* [How to Hack the Hackers | Cowrie Honeypot](https://www.youtube.com/watch?v=m7ZmwjyhzHU)
* [Welcome to Cowrie’s documentation](https://docs.cowrie.org/en/latest/index.html)

**Script**

* [MISP-Cowrie-Script](https://github.com/WalterDrake/MISP-Cowrie-Script)
  {% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://walterdrake.gitbook.io/mysite/project/implemented-snort-misp-cowrie-and-machine-learning-to-bolster-network-security.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
