Implemented Snort, MISP, Cowrie, and Machine Learning to bolster network security

Introduction

Our team project focuses on deploying an IDS/IPS system to prevent simulated attack scenarios, acquiring new Indicators of Compromise (IOCs) related to malware, utilizing honeypots to detect attackers' intentions, and leveraging machine learning to identify botnets.

Objective

Our primary objective is to implement this system in real-world scenarios effectively. The key components of our approach are:

• Snort: Used to detect and prevent Distributed Denial of Service (DDoS) attacks.

• MISP: Facilitates the acquisition and sharing of Indicators of Compromise (IOCs).

• Cowrie: Deployed as a honeypot to monitor and analyze attacker behavior.

• Machine Learning: Utilized to identify and detect botnets with greater accuracy.

Implement

Network Architect

Components

Configure VMWare

Our setup includes two VMware instances: one serves as the attacker, running Kali Linux, and the other is an Ubuntu Server hosting Snort, MISP, and Cowrie. Due to resource limitations, we simulate DoS attacks rather than full-scale DDoS attacks. Both systems are configured within the same local area network (LAN) using the IP range 10.81.1.0/24.

Stack

Snort

Snort version 3.6.0.0 is used for intrusion detection and prevention. It monitors network traffic for potential threats, such as DoS attacks, and provides real-time alerts for suspicious activities.

MISP

MISP is deployed using Docker, offering a platform for collecting, storing, and sharing Indicators of Compromise (IOCs). It helps streamline the process of threat intelligence management and enhances collaboration in the security community.

Cowrie

Cowrie is set up as a honeypot to simulate a vulnerable system and observe attacker behavior. By capturing and analyzing attack patterns, it provides insights into attacker tactics, techniques, and procedures.

Machine Learning

A machine learning model is employed to detect botnet activity by analyzing network traffic. The model improves accuracy in identifying anomalous behaviors associated with botnets, offering an additional layer of security detection.

For the installation and setup of all components, detailed instructions are available in the resource section.

Deploy the scenarios

Summary

Snort

We run Snort in inline mode using the command:

sudo snort -c snort.lua -v -Q --daq afpacket -i ens34:ens33 -A alert_fast -s 65535 -k none

The command runs Snort with a custom configuration (snort.lua) in verbose mode, using the afpacket DAQ method to capture packets on specified interfaces (ens34:ens33). It generates fast alerts (alert_fast), captures full packet sizes (-s 65535), and disables checksum validation (-k none)

In the snort.lua configuration file, we define various variables and include specific rules to apply to the system. More details on these settings will be provided when discussing them further.

Variables

Rules

MISP

We use Docker to deploy and run the MISP instance, ensuring a streamlined and efficient setup process.

Run docker

In this setup, we utilize only three feeds as examples to demonstrate MISP's functionality.

Feeds

To perform specific actions, we use MISP OpenAPI to interact with the MISP instance and write Python scripts for automation. These scripts are available in my GitHub repository, which is linked in the resource section.

Cowrie

We followed a tutorial to set up Cowrie and adjusted the script to align with our specific objectives. This configuration allows Cowrie to not only detect and log intentional attack attempts but also block them before the attackers can execute their actions.

Machine Learning

We followed the methodology outlined in the paper "Botnet Detection" to implement machine learning techniques for detecting botnet activity. This approach involves analyzing network traffic patterns to identify potential botnet behavior.

Simulating DoS Attacks

Rule

We have created two rules for detecting ICMP flood and SYN flood attacks, which are included in the ddos.rules file.

• ICMP flood

alert icmp any any -> $HOME_NET any (msg:"ICMP flood"; sid:1000001; rev:1; gid:1; classtype:icmp-event; detection_filter: track by_dst, count 500, seconds 5;)

This rule detects ICMP flood attacks by monitoring traffic and triggering an alert if 500 ICMP packets are received within 5 seconds to a single destination.

• SYN flood

alert tcp any any -> $HOME_NET $HTTP_PORTS (flags: *SR; msg:"Possible DoS Attack Type : SYN flood"; flow:stateless; sid:1000002; detection_filter: track by_dst, count 20, seconds 5; rev:1; gid:1;)// Some code

This rule identifies potential SYN flood attacks by looking for 20 TCP packets with SYN and/or RST flags set, targeting HTTP ports within 5 seconds to a single destination.

Alert

We use Kali Linux to launch attacks with hping3/ping and observe the alerts generated by Snort.

• ICMP Flood

Attack

Alerts

• SYN Flood

We host a server using Python to simulate a DoS attack on the web server.

Host Web site

Web site

Attack

Alerts

Prevent

To prevent attacks, we use the rate_filter in the snort.lua file, which changes the action from generating an alert to dropping the malicious traffic.

Change actions

Drop ICMP packets

Drop SYN packets

Although we followed the documentation, the drop action in Snort is supposed to drop malicious packets. However, in our case, it still appears that Snort only notifies the action as "drop" without actually dropping the packets. When we check using Wireshark, we can still see replies from the server.

MISP: Acquiring IOCs

Fetch feeds

To automate the updating of newly acquired IOCs from enabled feeds, we set up a cron job using the crontab tool.

0 1 * * * /usr/bin/curl -XPOST --insecure --header "Authorization: APIKEY" --header "Accept: application/json" --header "Content-Type: application/json" https://localhost/feeds/fetchFromAllFeeds

The cron job runs daily at 1:00 AM and uses curl to send a POST request to the MISP instance's API endpoint (/feeds/fetchFromAllFeeds). It includes the necessary headers, such as the API key, to fetch updates from all enabled feeds securely.

Download rules

To export rules for Snort, we developed a Python script that uses MISP OpenAPI to retrieve and save the rules locally. The script also preprocesses the rule syntax to ensure compatibility with Snort.

Run script

I also created a crontab to automate this process, ensuring that the Python script runs at scheduled intervals to export and preprocess the Snort rules automatically.

30 2 */2 * * sudo python3 ~/script/down_rule.py

The crontab runs every two days at 2:30 AM, executing the Python script (down_rule.py) with sudo to download and preprocess the Snort rules automatically.

Export rules

To manage the rules added to Snort, we created a script that compares the currently applied rules with any updated rules, ensuring that changes are properly tracked and implemented.

Export rules.

Rules MISP

Cowrie: Detecting Intentional Attacks

We use Nmap to scan for open ports, mimicking the behavior of an attacker to observe how Cowrie detects and logs these scanning attempts.

Scan

After performing the port scan, we connect to the honeypot and check the logs to analyze the attacker's behavior and ensure that Cowrie is accurately logging and detecting the activities.

SSH

Upon checking the logs, we can see that a shell was opened, indicating that the attacker successfully interacted with the honeypot, allowing us to analyze their actions.

Log file

Export rules:

To extract the IP addresses of attackers, we created a script that reads the cowrie.json file and identifies the IPs associated with the cowrie.session.connect event ID, which logs the connection attempts by the attackers.

Json file

Export rule

Rule file

Contribution

azhlm

Machine Learning

Traditional rule-based methods often fail to detect coordinated attacks, such as botnets, as they cannot analyze the relationships between multiple requests. Similarly, simple machine learning models that assess individual requests may perform well on controlled datasets but struggle in real-world scenarios. Effective detection requires analyzing a host's behavior within the context of larger request snapshots, ranging from 1,000 to 10,000 requests.

Graph Neural Networks (GNNs) and Graph Attention Networks (GATs) are highly effective in this context, as they capture the relational structure and dependencies within the network. This capability enables them to deliver superior performance when applied to real-world systems.

Key Benefits

• Relational Insights: GAT effectively captures host interactions within a request snapshot, enabling the identification of coordinated botnet behavior.

• Focused Detection: The attention mechanism emphasizes critical connections that are indicative of potential attacks, improving detection accuracy.

A graph plot depicting a normal network during a centralized botnet attack.

A graph plot depicting a normal network during a centralized botnet attack.

A graph plot illustrating the network after the model predicts botnet activity.

A graph plot illustrating the network after the model predicts botnet activity.

Contribution

F1xedbot

Additional

We integrated the OpenAppID module with Snort to improve application detection by analyzing traffic patterns. OpenAppID helps Snort identify and categorize applications, allowing for more precise detection of threats based on specific application behaviors, enhancing overall network security.

alert tcp any any -> any any ( msg:"Google Detected"; appids:"Google"; sid:1000006; metadata:policy security-ips alert; )

snort.lua

Detecting with AppID

When applying AppID in rules, Snort should operate in passive mode, focusing solely on detecting and identifying application traffic without actively blocking it.

Resources

Snort

• Snort 3 (IPS) - Installation, Configuration and creating Local Rules
• How to Install & Configure Snort on Ubuntu Linux?
• Snort 3 Rule Writing Guide

MISP

• MISP - User Guide A Threat Sharing Platform
• MISP Automation API

Cowrie

• Setup a honeypot and catch hackers for FREE | cowrie tutorial
• How to Hack the Hackers | Cowrie Honeypot
• Welcome to Cowrie’s documentation

Script

• MISP-Cowrie-Script