Module 1: Introduction to IDS & IDP

Intrusion Detection and Prevention Systems (IDS & IDP) play a critical role in cybersecurity,
helping organizations detect, analyze, and respond to cyber threats. This module introduces these
concepts, explains their differences, and explores their importance in modern security frameworks.

1. Concept of Intrusion Detection and Prevention

1.1 Definition of Intrusion Detection Systems (IDS) and Intrusion Prevention
Systems (IPS)
• Intrusion Detection System (IDS):
IDS is a security tool that monitors network or system activities for suspicious behavior,
unauthorized access, or policy violations. It alerts security teams but does not actively block
threats.
• Intrusion Prevention System (IPS):
IPS is an advanced version of IDS that not only detects threats but also takes immediate
action to block malicious activity, such as terminating a connection or updating firewall
rules.

1.2 Differences Between IDS and IPS

Feature Intrusion Detection System (IDS) Intrusion Prevention System (IPS)
Function Detects and alerts on threats Detects and prevents threats
Response Passive (logs and alerts) Active (blocks malicious traffic)
Monitors traffic but does not
Placement Sits inline and actively blocks threats
interfere
Impact on Traffic No direct effect Can cause latency due to filtering
Snort (IPS mode), Palo Alto IPS, Cisco
Example Tools Snort (IDS mode), OSSEC, Suricata
IPS

1.3 Role of IDS and IDP in Cybersecurity Frameworks

IDS and IPS are crucial components of layered security architectures and fit into cybersecurity
models such as:
• Defense in Depth: Adds another security layer to firewalls and endpoint protection.
• Zero Trust Model: Ensures all network activity is monitored and analyzed for threats.
• Threat Intelligence Integration: Uses global databases and AI-powered analytics to detect
evolving cyber threats.
• Incident Response Planning: Helps security teams identify breaches and take remedial
actions faster.
2. Types of Cyber Attacks
IDS can detect and analyze various types of cyberattacks, categorized into three broad groups:
Network-based, Host-based, and Application-based attacks.

2.1 Network-based Attacks

These attacks target network infrastructure, affecting communication between systems.

Attack Type Description

DDoS (Distributed Denial Overwhelms a server or network with excessive traffic, making it
of Service) unavailable.
MITM (Man-in-the- Intercepts communication between two parties to steal or manipulate
Middle) data.
SQL Injection Injects malicious SQL queries to access or modify database records.
Tricks a network by sending false Address Resolution Protocol
ARP Spoofing (ARP) messages to link an attacker’s MAC address with a legitimate
IP address.

2.2 Host-based Attacks

Host-based attacks are launched against specific computers, exploiting weaknesses in operating
systems or applications.

Attack Type Description

Gains unauthorized administrative access by exploiting
Privilege Escalation
software vulnerabilities.
Malware (Trojans, Ransomware, Infects and takes control of a system to steal or encrypt
Rootkits, etc.) data.
Records user keystrokes to capture sensitive information
Keylogging
like passwords.

2.3 Application-based Attacks

These attacks exploit vulnerabilities in web applications and services.

Attack Type Description

Cross-Site Scripting (XSS) Injects malicious scripts into web pages viewed by users.
Cross-Site Request Forgery
Forces users to perform unwanted actions on a trusted website.
(CSRF)
Remote Code Execution
Executes malicious code on a victim's server or application.
(RCE)
File Inclusion Attacks (LFI & Injects malicious files into a web application to execute
RFI) unauthorized commands.
IDS solutions analyze traffic patterns and behavior to detect these threats before they cause damage.

3. Need for IDS and IDP in Modern Security Architectures

The evolving cyber threat landscape necessitates proactive security measures, making IDS and
IPS essential for modern organizations.
3.1 Zero Trust Model & Threat Intelligence
• Zero Trust Model:
• Assumes that no entity (internal or external) is inherently trusted.
• Uses continuous monitoring (IDS/IPS) to verify all users and devices.
• Implements network segmentation and adaptive authentication.
• Threat Intelligence Integration:
• IDS/IPS solutions integrate with global cyber threat databases to detect new attack
patterns.
• Uses AI & machine learning to analyze traffic anomalies.

3.2 Compliance Requirements (e.g., GDPR, NIST, ISO 27001)

Many regulations mandate intrusion detection and prevention mechanisms to ensure data
security.

Compliance Standard IDS/IPS Requirement

GDPR (General Data Protection Requires proactive monitoring of network traffic to
Regulation) detect breaches.
NIST (National Institute of Standards Recommends IDS/IPS for real-time attack detection
and Technology) and incident response.
ISO 27001 (Information Security Mandates network security monitoring and risk
Standard) assessment measures.
Organizations failing to implement IDS and IPS risk data breaches, financial penalties, and
reputational damage.

Conclusion
• IDS and IPS are essential for detecting and preventing cyber threats.
• IDS is passive, while IPS is active in stopping attacks.
• They protect against network-based, host-based, and application-based attacks.
• Modern security frameworks like Zero Trust and Threat Intelligence rely on IDS/IPS.
• Compliance standards (GDPR, NIST, ISO 27001) make IDS/IPS implementation a
necessity.

Hands-on Lab Exercise

💻 Objective: Configure and test Snort IDS in a virtual environment.
Step 1: Install Snort (Linux)
sudo apt update
sudo apt install snort

Step 2: Check Network Interfaces

snort -W
Step 3: Run Snort in IDS Mode
sudo snort -A console -i eth0 -c /etc/snort/snort.conf -l /var/log/snort/

Step 4: Simulate an Attack (Ping Flood)

On another machine:
ping -f <target_IP>

Step 5: Analyze Snort Logs

cat /var/log/snort/alert

🛠️ Expected Outcome: Snort should detect the attack and generate an alert.

🚀
This module provides a strong foundation for understanding IDS & IPS, preparing for deeper
cybersecurity concepts in subsequent modules.
=======================================================================
=======================================================================

Module 2: IDS and IDP Architectures

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can be designed in
different architectures depending on their placement, functionality, and detection methods. This
module explores the various IDS and IPS architectures, their differences, and their role in a
Security Operations Center (SOC).

Understanding APR (Address Resolution protocol)

1. ARP Resolution (Normal Behavior)

• Definition: ARP (Address Resolution Protocol) maps IP addresses to MAC addresses in a
LAN.
• Process:
• Host sends ARP request: “Who has 192.168.1.1?”
• Device with that IP replies with its MAC address.
• Usage: Ensures correct packet delivery within the LAN.
• Normal ARP Traffic in Wireshark: Seen as ARP Request and ARP Reply.
2. ARP Poisoning / ARP Spoofing
• Definition: Attacker sends fake ARP replies to associate their MAC address with the IP of a
legitimate device (e.g., gateway or DNS).
• Goal: Redirect traffic to attacker → Man-in-the-Middle (MITM) attack.
• Impact:
• Data sniffing (e.g., passwords, logins).
• Session hijacking.
• Network disruption.
• Attack Command (from your PDF):
• arpspoof -i eth0 -t <victim-IP> <gateway-IP>
• Detection Using Wireshark:
• Filter: arp.duplicate-address-detected
• Look for:
• Unexpected ARP replies.
• Multiple devices claiming the same IP.
• Frequent unsolicited ARP replies.

3. MAC Flooding
• Definition: Attack floods the switch with fake MAC addresses.
• Goal: Exhaust switch’s MAC table → switch enters “fail-open” mode → sends all traffic to
all ports (like a hub).
• Impact:
• Allows attacker to capture all network traffic using a packet sniffer.
• Mitigation Techniques:
• Enable port security on switches.
• Set limits on MAC addresses per port.

4. Wireshark in ARP Attack Detection

• Wireshark Filter:
• arp.duplicate-address-detected → Identifies MAC/IP conflicts.
• Other Useful Indicators:
• ARP replies without corresponding requests.
• Different MACs mapping to the same IP in close time windows.
• High frequency of ARP traffic from one device.
IDS Overview:

1. Overview of IDS Functionality

• IDS = Intrusion Detection System: Detects unauthorized or malicious activities in a network.
• Types of IDS:
• NIDS (Network-based IDS): Monitors packets across the network.
• HIDS (Host-based IDS): Monitors system logs and file changes on individual
devices.
• IDS is passive (detects and alerts), not active like an IPS (which blocks).

2. Key Components of IDS

• 1. Sensors – The Data Collectors

Sensors: Collect network packets or logs (e.g., from routers or end devices).
Function: Monitor and capture traffic/events from network or host systems.
Types:
• Network-based sensors: Capture packets (e.g., via NIC in promiscuous mode).
• Host-based sensors: Monitor log files, system calls, or file integrity.
Tools/Examples:
• Snort, tcpdump, Wireshark (for packet capture).
Role: Provide raw input data to analyzers for inspection.

2. Analyzers: ( The Intelligence Core) Process data to detect anomalies or known threats.

Function: Process data collected by sensors to detect suspicious or malicious activity.

Types:
• Signature-based analyzers: Match known attack patterns.
• Anomaly-based analyzers: Detect deviations from normal behavior.
Interplay with Sensors:
• Continuously receive and inspect real-time traffic/logs.
Tools/Examples:
 • Snort rule engine, Suricata, Bro (Zeek).
Key Tasks:
• Traffic reassembly.
• Intrusion pattern recognition.
• Alert generation.
• 3. Databases – (The Knowledge Store) : Stores signatures or behavioral baselines.
Function: Store:
• Event logs,
• Known attack signatures,
• Statistical profiles,
• Alert records for future reference.
Types:
• Signature repositories (e.g., CVE databases).
• Historical logs for correlation or forensic analysis.
Interplay with Analyzers:
• Used to compare real-time events with past records.
• Supports behavioral baselining and trend detection.

4. Response Systems – (The Action Takers) Alert admins or integrate with SIEM; may
log or respond (passively or actively).
Function:
• Trigger alerts, send notifications, or initiate automated responses.
Types:
• Passive: Alerts admin via logs, emails, dashboards.
• Active: Automatically blocks IPs, disables ports, or modifies firewall rules.
Tools/Examples:
• SIEM systems, email alert systems, scripts to update ACLs.
Interplay with Analyzers & Databases:
• Based on analyzer input and historical data, determines appropriate response actions.

4. Explanation of Network Devices in Diagram

• Internet: Entry point for external traffic (potential threats).
 • Router/Firewall:
• Routes traffic and blocks unauthorized ports/IPs.
• Positioned before the IDS to handle basic filtering.
• SPAN Port (Switched Port Analyzer):
• Copies all switch traffic and sends it to the IDS sensor.
• Ensures IDS sees both incoming and outgoing packets.
• Network IDS (NIDS):
• Connected via SPAN or TAP.
• Inspects mirrored traffic using rules (e.g., Snort, Suricata).
• Switch/Hub:
• Distributes internal traffic to devices.
• Attacks like ARP spoofing, SYN flood may occur here.
• Servers (Database, Web, File):
• Hosts critical services.
• HIDS installed to track local logs, file integrity, unauthorized access.
• Workstations (PCs/Laptops):
• Entry points for threats via phishing, malware, or USBs.
• Monitored passively via NIDS or locally via HIDS.

5. Working of IDS in the Network

• Data Flow:
1. Traffic enters through the router/firewall.
2. A copy of the traffic is sent to NIDS via SPAN.
3. NIDS inspects the packets, checks signatures or behavior.
4. HIDS on hosts monitor logs, processes, file changes.
5. Analyzer compares with signature DB or behavior baseline.
6. Alerts or logs are generated → sent to admins or SIEM.

1. Types of IDS (Intrusion Detection Systems)

IDS can be categorized based on where and how they monitor traffic:

Type Monitoring Location Use Case

Network-based IDS Monitors entire network
Detects attacks before they reach endpoints
(NIDS) traffic
Installed on a specific Monitors logs and system files for
Host-based IDS (HIDS)
system unauthorized access
Provides both network-wide and host-level
Hybrid IDS Combines NIDS & HIDS
security
1.1 Network-based IDS (NIDS): Architecture & Functionality
📌 Definition:
NIDS monitors network traffic to detect malicious activities such as DDoS attacks, port scanning,
or unauthorized access.

📌 Architecture of NIDS
• Sensors: Placed at key network points (e.g., firewall or router).
• Analyzer/Detection Engine: Uses rules (signature-based) or AI (anomaly-based) to detect
threats.
• Alert System: Sends notifications to administrators when suspicious activity is detected.

📌 How NIDS Works

1. Captures network traffic in real-time.
2. Analyzes packet headers & payloads for signs of attacks.
3. Matches traffic with threat signatures or detects anomalies.
4. Generates alerts for potential security breaches.
✅ Example Tools: Snort, Suricata, Zeek (Bro)
1.2 Host-based IDS (HIDS): Features & Implementation
📌 Definition:
HIDS monitors a specific device’s logs and files for unauthorized changes or suspicious activities.

📌 Features of HIDS
• Monitors system files, registry changes, and logs.
• Detects unauthorized application execution.
• Identifies insider threats that bypass network security.

📌 Implementation Steps
1. Install HIDS software on critical systems (e.g., servers, endpoints).
2. Define policies for monitoring (e.g., watch system logs, kernel activities).
3. Configure alert thresholds (e.g., detect multiple failed login attempts).
4. Integrate with SIEM for centralized analysis.
✅ Example Tools: OSSEC, Tripwire, Wazuh
1.3 Hybrid IDS: Combining NIDS & HIDS
📌 Definition:
Hybrid IDS combines network-wide monitoring (NIDS) and host-level analysis (HIDS) for
enhanced threat detection.
📌 Advantages of Hybrid IDS
• Comprehensive visibility: Detects both network-level attacks (DDoS, MITM) and host-
based threats (malware, privilege escalation).
• Reduces false positives: Uses host data to validate network alerts.
• Effective against APTs (Advanced Persistent Threats): Provides layered detection.
✅ Example Tools: Suricata (NIDS) + OSSEC (HIDS) for a hybrid setup.
2. Types of IPS (Intrusion Prevention Systems)
IPS can be classified based on how they detect threats and where they are deployed.

2.1 Signature-based IPS vs. Anomaly-based IPS

Type Detection Method Pros Cons
Signature-based Matches traffic against a database Accurate for Cannot detect new,
IPS of known attack patterns known threats unknown attacks
Anomaly-based Uses machine learning to identify Detects zero-day Higher false positive

✅
IPS unusual behavior attacks rate
Example Tools:
• Signature-based: Snort, Suricata
• Anomaly-based: Darktrace, AI-powered IPS solutions

2.2 Host-based IPS (HIPS) vs. Network-based IPS (NIPS)

Type Placement Functionality Example Tools
Installed on
Host-based IPS Blocks unauthorized system Windows Defender
endpoints (PCs,
(HIPS) modifications, malware execution ATP, OSSEC
servers)
Network-based IPS Deployed at network Blocks malicious packets before Palo Alto IPS,

🚀
(NIPS) gateways they reach endpoints Cisco Firepower
HIPS vs. NIPS Use Cases
• Use HIPS for endpoint protection (e.g., preventing malware execution).
• Use NIPS for perimeter security (e.g., stopping incoming DDoS attacks).

3. Comparison of IDS, IPS, Firewall & SIEM

Security solutions complement each other to provide layered defense.

3.1 How IDS/IDP Fits into a Security Operations Center (SOC)

📌 SOC (Security Operations Center) is a centralized cybersecurity team that manages security
monitoring, incident response, and threat intelligence.
 Technology Function
IDS Detects threats but does not block them
IPS Detects and prevents threats in real-time
Firewall Controls traffic flow based on rules
SIEM (Security Information and Event Centralizes logs and correlates events for deeper

🚀
Management) threat analysis
Example SOC Workflow with IDS & IPS
1. IDS detects abnormal activity (e.g., repeated failed login attempts).
2. IPS blocks malicious traffic (e.g., an exploit attempt).
3. SIEM collects and analyzes logs from IDS, IPS, firewalls, and endpoints.
4. SOC team investigates and takes further action.
✅ Example SIEM Solutions: Splunk, IBM QRadar, ELK Stack
3.2 IDS & IDP Integration with Firewalls, Antivirus & Threat Intelligence
📌 For a robust security posture, IDS and IPS work alongside firewalls, antivirus, and threat
intelligence.

Integration Functionality
IDS & Firewalls IDS detects suspicious traffic, firewall blocks attackers
IPS & Firewalls IPS prevents attacks that bypass firewall rules
IDS/IPS & Antivirus IDS detects malware signatures, antivirus removes infected files

✅
IDS/IPS & Threat Intelligence Feeds real-time attack data to IDS/IPS for better detection
Example: Cisco Firepower (IPS) + Palo Alto NGFW (Firewall) + CrowdStrike (Threat
Intelligence) for an advanced security architecture.

Conclusion
• NIDS provides network-wide monitoring, while HIDS protects individual hosts.
• Hybrid IDS offers both network and host protection.
• IPS actively blocks threats, using either signature-based or anomaly-based detection.
• NIPS (network-based IPS) protects traffic flow, while HIPS (host-based IPS) secures
endpoints.
• IDS and IPS integrate with firewalls, antivirus, and SIEM platforms to provide layered
security.
• SOC teams use IDS/IPS for proactive threat detection and incident response.

Hands-on Lab Exercise

💻 Objective: Deploy Suricata as an IDS/IPS solution.
Step 1: Install Suricata
sudo apt update
sudo apt install suricata -y

Step 2: Enable IDS Mode

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

Step 3: Test IDS with a Malicious Request

curl -A "BlackSun" http://testsite.com

(Suricata should detect this user-agent as a potential attack attempt.)

Step 4: Enable IPS Mode

Modify suricata.yaml:
outputs:
- fast:
enabled: yes
- drop:
enabled: yes

Restart Suricata:
sudo systemctl restart suricata

🛠️ Expected Outcome:
• In IDS mode, Suricata logs the attack.
• In IPS mode, Suricata blocks the request.

🚀
This module provides a detailed understanding of IDS & IPS architectures, setting the stage for
advanced detection techniques in the next module.
=======================================================================

Module 3: IDS and IDP Deployment Strategies

Deploying an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) effectively
requires strategic planning, proper sensor placement, and the right choice of tools. This module
focuses on deployment architectures, open-source tools, and hands-on configuration of
IDS/IPS solutions.
1. Designing an IDS/IDP Infrastructure
1.1 Placement of IDS Sensors
The effectiveness of IDS/IPS depends largely on where sensors are deployed within a network.
Proper placement allows monitoring of critical traffic paths while minimizing performance
overhead.

Placement Description Use Case

Placed before the firewall to monitor Detects external threats before
Perimeter
incoming traffic from the internet. they reach internal assets.
DMZ Monitors traffic between public-facing Protects public services from
(Demilitarized services (e.g., web servers) and internal attacks and identifies lateral
Zone) systems. movements.
Monitors east-west traffic
Detects insider threats, privilege
Internal Network (communication between internal
escalation, and lateral movements.
🚀
devices).
Best Practice: Use multiple sensors (NIDS + HIDS) for comprehensive coverage.

1.2 Deployment Scenarios (Inline vs. Passive IDS)

IDS and IPS can be deployed in two modes:

Deployment
Description Pros Cons
Type
Monitors traffic without interfering.
No impact on network Cannot block
Passive IDS Uses network taps or SPAN ports to copy
performance. attacks.
traffic.
Placed directly in the traffic path, Can actively block May introduce
Inline IPS
🚀
allowing real-time attack prevention. malicious traffic. latency.
Best Practice:
• Use Passive IDS for detection-only environments.
• Use Inline IPS in high-security zones (e.g., financial or government networks).

1.3 Cloud-based vs. On-Premise IDS/IPS

Type Description Pros Cons
Cloud-based Hosted by a cloud provider, Scalable, low Limited customization,
IDS/IPS monitors virtual infrastructure. maintenance. vendor dependency.
On-Premise Deployed within a physical Full control, better Higher hardware costs,

✅
IDS/IPS data center. compliance. complex maintenance.
Example Cloud IDS Solutions:
• AWS GuardDuty (Cloud IDS)
• Azure Security Center
• Google Cloud IDS
🚀 Best Practice: Hybrid deployments use on-premise IDS for internal traffic and cloud-based
IDS for external traffic.

2. Popular Open-Source IDS & IDP Tools

Open-source IDS/IPS tools offer cost-effective and flexible security solutions.

2.1 Snort (Signature-based Detection)

• Developed by Cisco.
• Uses predefined signatures to detect threats.
• Can be deployed as IDS (alert mode) or IPS (inline mode).
✅ Best for: Networks with predictable threats, firewall integration.
2.2 Suricata (High-Performance IDS)
• Multi-threaded engine for high-speed networks.
• Supports signature, anomaly, and protocol-based detection.
• Can function as IDS or IPS.
✅ Best for: High-traffic environments requiring fast analysis.
2.3 Zeek (Bro IDS) (Behavioral Analysis)
• Focuses on network behavior analysis instead of signature-based detection.
• Detects zero-day attacks and anomalies.
• Generates detailed traffic logs.
✅ Best for: Advanced network forensics and security monitoring.
2.4 OSSEC (Host-based IDS)
• Monitors file integrity, logs, and rootkits on endpoints.
• Supports real-time alerts and automated responses.
✅ Best for: Securing critical servers and endpoints.
2.5 Wazuh (SIEM & HIDS)
• Fork of OSSEC, designed for enterprise-scale SIEM.
• Provides HIDS + SIEM capabilities in a single platform.
✅ Best for: Organizations requiring centralized log analysis.
🚀 Comparison of Open-Source IDS Tools:
 Tool Type Detection Method Use Case
Snort NIDS/NIPS Signature-based Traditional networks
Suricata NIDS/NIPS Signature & anomaly-based High-performance environments
Zeek (Bro) NIDS Behavioral analysis Network forensics
OSSEC HIDS Log analysis Endpoint security
Wazuh HIDS + SIEM Log & file integrity monitoring Centralized security

3. Hands-on IDS/IDP Configuration

3.1 Installing Snort, Suricata, and Zeek
Step 1: Install Required Packages
sudo apt update
sudo apt install snort suricata zeek -y

3.2 Writing IDS Rules for Detecting Common Attacks

📌 Example 1: Snort Rule for Detecting a DDoS Attack
Add the following rule to /etc/snort/rules/ddos.rules:
alert tcp any any -> any 80 (msg:"Possible DDoS attack detected"; flags:S;
threshold:type both, track by_src, count 10, seconds 2; sid:1000001;)

🚀 Explanation:
• Triggers an alert if a single IP sends 10 SYN packets in 2 seconds (common in DDoS).
Enable the rule:
echo "include /etc/snort/rules/ddos.rules" >> /etc/snort/snort.conf

Restart Snort:
sudo systemctl restart snort

📌 Example 2: Suricata Rule for Detecting SQL Injection

Add the following rule to /etc/suricata/rules/sql_injection.rules:
alert http any any -> any any (msg:"SQL Injection Attempt Detected";
content:"SELECT"; nocase; http_uri; sid:1000002;)

🚀 Explanation:
• Detects SQL keywords in HTTP traffic (common in SQL injection).
Enable the rule:
echo "include /etc/suricata/rules/sql_injection.rules" >>
/etc/suricata/suricata.yaml
Restart Suricata:
sudo systemctl restart suricata

3.3 Setting Up Alerts and Logging Mechanisms

Enable Snort Alerts
sudo tail -f /var/log/snort/alert

Enable Suricata Logs

sudo tail -f /var/log/suricata/fast.log

Enable Zeek Logging

sudo tail -f /var/log/zeek/current/conn.log

🚀 Expected Outcome:
• Alerts appear when an attack pattern is detected.
• Security teams can analyze logs for forensics.

Conclusion
• IDS placement is critical: Perimeter for external threats, Internal for lateral
movements.
• Inline IPS blocks threats, while Passive IDS only detects.
• Open-source IDS tools (Snort, Suricata, Zeek, OSSEC, Wazuh) offer cost-effective
security.
• Hands-on configuration of IDS rules helps detect DDoS, SQL Injection, and other
attacks.
• Logging & alerting mechanisms ensure real-time monitoring.

Next Steps
• Experiment with advanced IDS/IPS rules.
• Integrate IDS/IPS with SIEM solutions like Wazuh or Splunk.
• Explore machine learning-based anomaly detection.
🚀 By mastering IDS/IPS deployment strategies, you build a strong cybersecurity defense
against evolving threats! 🔐
======================================================================
Module 4: Intrusion Detection Mechanisms
Intrusion Detection Systems (IDS) employ various detection mechanisms to identify malicious
activities. These mechanisms can be signature-based, anomaly-based, or hybrid approaches that
combine both. This module provides an in-depth understanding of these mechanisms, including
their strengths, weaknesses, and real-world implementation.

Functioning of Intrusion Detection System (IDS)

• Definition: An IDS is a network security tool that monitors system and network traffic for
suspicious activity and known threats.
• Detection Types:
• Signature-Based Detection: Matches known patterns (signatures) of threats.
• Anomaly-Based Detection: Detects deviations from normal behavior using
statistical or AI models.
• Types of IDS:
• Network-Based IDS (NIDS) – Monitors network traffic (e.g., Snort).
• Host-Based IDS (HIDS) – Monitors system-level behavior and logs.
• Functionality Workflow:
• Traffic Capture: IDS monitors all incoming/outgoing packets.
• Analysis: Compares packet data to rule sets or behavior models.
• Alert Generation: Triggers alerts if suspicious activity is detected.
• Logging: Stores logs for review or automated response.
• Response: Passive (alert only) or active (integrated with IPS).

Snort as an IDS
• Snort is a powerful open-source NIDS used for real-time traffic analysis and packet logging.
• Modes of Operation:
• Sniffer Mode: Reads network packets and displays them.
• Packet Logger Mode: Logs packets to a file.
• Network Intrusion Detection Mode: Monitors and analyzes traffic against a set of
rules.
• Detection Engine: Uses rule-based inspection to match network traffic against a list of
defined attack signatures.

Important Configuration Files in Snort

1. snort.conf (Main Configuration File)

• Located typically at /etc/snort/snort.conf.

• Contains:
• Variable definitions (HOME_NET, EXTERNAL_NET)
 • Preprocessor settings
• Output plugins
• Rule path and rule set loading
• Logging and alerting options
2. Rules Directory
• Contains .rules files like icmp.rules, dns.rules, etc.
• Each file contains detection rules for specific protocol-based attacks.
3. Preprocessor Configuration
• Enables plugins like frag3, stream5, http_inspect.
• Enhances detection accuracy for fragmented, reassembled, or tunneled traffic.
4. Classification and Reference Files
• classification.config: Maps rule priorities (e.g., trojan-activity).
• reference.config: Adds URLs or IDs for external references to attacks (e.g.,
CVE links).

Snort Rule Syntax

Basic rule format:
action protocol src_ip src_port -> dst_ip dst_port (rule options)

Components of a Snort Rule:

1. Rule Header:
• action: alert, log, pass, drop, reject, sdrop
• protocol: tcp, udp, icmp, or ip
• source IP and source port
• direction operator: -> or <->
• destination IP and destination port

Example:
alert tcp any any -> 192.168.1.0/24 80 (msg:"HTTP access detected";
sid:100001; rev:1;)

2. Rule Options (inside parentheses):

• msg: Message shown in alert
• sid: Snort rule ID (must be unique)
• rev: Revision number of the rule
• content: Payload content to match
• depth and offset: Byte search boundaries
• classtype: Category of the alert
• priority: Alert priority level
• reference: External reference (CVE, Bugtraq, etc.)
 Example:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \
(msg:"FTP root login attempt"; content:"USER root"; nocase; sid:1000002;
rev:1;)

Additional
1. Signature-Based Detection
Signature-based detection is the most widely used method in IDS/IPS solutions. It matches known
attack patterns (signatures) against network traffic or system logs.

1.1 Understanding IDS Rules

📌 How Signature-Based IDS Works:
• IDS maintains a database of known attack patterns (signatures).
• It inspects network packets, log files, or system behavior.
• If a pattern matches a known attack, it triggers an alert.
🚀 Example IDS Tools Using Signature-Based Detection:
• Snort (Network-based IDS)
• Suricata (High-performance IDS)
• OSSEC (Host-based IDS)

1.2 Creating Custom IDS Rules

Custom IDS rules allow security teams to detect specific threats within their network.

📌 Example 1: Snort Rule for Detecting a Brute Force Attack

Add the following rule to /etc/snort/rules/bruteforce.rules:
alert tcp any any -> any 22 (msg:"Brute Force SSH Attempt"; flags:S;
threshold:type both, track by_src, count 5, seconds 10; sid:100001;)

🚀 Explanation:
• Monitors TCP traffic on port 22 (SSH).
• If an IP sends 5 SYN packets in 10 seconds, it generates an alert.
✅ Steps to Activate the Rule:
echo "include /etc/snort/rules/bruteforce.rules" >> /etc/snort/snort.conf
sudo systemctl restart snort

📌 Example 2: Suricata Rule for Detecting SQL Injection

Add this rule to /etc/suricata/rules/sql.rules:
alert http any any -> any any (msg:"SQL Injection Attempt"; content:"SELECT";
nocase; http_uri; sid:100002;)
🚀 Explanation:
• Triggers an alert if HTTP traffic contains SQL keywords (like SELECT).

✅ Activate the rule:

echo "include /etc/suricata/rules/sql.rules" >> /etc/suricata/suricata.yaml
sudo systemctl restart suricata

1.3 False Positives and False Negatives in Signature-Based IDS

Metric Definition Example
False IDS incorrectly detects a legitimate Normal SSH login flagged as a brute force
Positive activity as an attack. attack.
False Attackers modify an SQL injection payload to
IDS fails to detect a real attack.
🚀
Negative bypass signature detection.
Mitigation Strategies:
• Fine-tune IDS rules to reduce noise.
• Regularly update signature databases to detect evolving threats.
• Combine signature-based IDS with anomaly-based detection.

2. Anomaly-Based Detection
Unlike signature-based detection, anomaly-based IDS (AIDS) identifies unusual behavior instead
of relying on predefined attack patterns.

2.1 Machine Learning and AI in IDS

📌 How It Works:
• IDS learns normal behavior using machine learning (ML) algorithms.
• It detects deviations from normal activity.
• If traffic significantly deviates from normal patterns, it flags it as suspicious.
🚀 Example ML Techniques Used in IDS:
Technique Purpose
Supervised Learning Trains IDS on labeled attack datasets to classify threats.
Unsupervised Learning Identifies anomalies without labeled data (e.g., clustering).

✅
Deep Learning (AI-based IDS) Uses neural networks to detect sophisticated attacks.
Example Tools Using ML for IDS:
• Darktrace (AI-based IDS)
• Zeek (Bro IDS) (Network behavior analysis)
• OpenAI Cybersecurity Models (AI-driven security)
2.2 Behavioral Analysis and Pattern Recognition
📌 Behavioral-based IDS focuses on monitoring user activity:
• Detects deviations in login patterns (e.g., sudden access from a different country).
• Identifies unusual data transfers (e.g., massive file downloads outside office hours).
• Tracks network traffic anomalies (e.g., sudden spikes in connections).
🚀 Real-world Example:
• A normal user logs in between 9 AM – 5 PM daily.
• One day, an unusual login occurs at 2 AM from another country.
• Anomaly-based IDS flags this activity as suspicious.
✅ Use Cases:
• Detecting insider threats.
• Identifying zero-day attacks.
• Spotting lateral movement in Advanced Persistent Threats (APTs).

2.3 Detecting Unknown Attacks Using Anomaly-Based IDS

📌 Benefits of Anomaly-Based Detection:
• Can detect zero-day exploits (unknown vulnerabilities).
• Does not rely on signature updates.
• Works well in complex and evolving attack landscapes.
🚀 Challenges & Mitigations:
Challenge Solution
High false positive rate Tune anomaly detection thresholds.
Requires more processing power Use AI-driven solutions for optimization.
Complex configuration Implement hybrid detection (signature + anomaly).

3. Hybrid Detection Mechanisms

A hybrid IDS combines signature-based detection (fast & accurate) with anomaly-based
detection (intelligent & adaptive).

3.1 Combining Signature-Based and Anomaly-Based Methods

📌 Hybrid IDS Workflow:
1. Signature-based IDS scans first (quickly detects known threats).
2. If no signature matches, anomaly-based IDS evaluates traffic behavior.
3. If an anomaly is detected, further analysis is performed.
🚀 Example of Hybrid IDS Solutions:
• Suricata + Zeek
• Suricata uses signatures for known threats.
 • Zeek detects behavioral anomalies in network traffic.
✅ Benefits of Hybrid IDS:
Advantage Description
Reduced false positives Signature-based IDS filters out common traffic.
Detects zero-day threats Anomaly-based IDS catches new attack techniques.
Faster response Automated correlation of IDS alerts for quicker analysis.

3.2 Role of Heuristic Analysis in IDS

📌 What is Heuristic Analysis?
• Uses pattern recognition and probability models to detect suspicious behavior.
• Helps IDS detect variants of malware even if the exact signature is not available.
🚀 Example Use Case:
• A new type of ransomware is spreading.
• Signature-based IDS cannot detect it since it's new.
• Heuristic-based IDS flags suspicious file encryption behavior and generates an alert.
✅ Tools That Use Heuristics for IDS:
• CrowdStrike Falcon (AI-driven security).
• Zeek (Behavioral & heuristic analysis).

Conclusion
• Signature-based IDS is effective against known attacks but fails with zero-days.
• Anomaly-based IDS detects unknown threats but has higher false positives.
• Hybrid IDS solutions (like Suricata + Zeek) provide better accuracy and security.
• Machine Learning & AI are revolutionizing IDS, making them more adaptive.
• Heuristic-based detection helps identify evolving threats before widespread outbreaks.

Hands-on Lab: Implementing Hybrid IDS

💻 Objective: Configure Suricata (Signature-based) + Zeek (Anomaly-based) Hybrid IDS.
Step 1: Install Suricata & Zeek
sudo apt update
sudo apt install suricata zeek -y

Step 2: Enable Suricata Signature-based Detection

sudo suricata -c /etc/suricata/suricata.yaml -i eth0
Step 3: Enable Zeek for Anomaly-based Monitoring
sudo zeekctl deploy

Step 4: Monitor Alerts

tail -f /var/log/suricata/fast.log
tail -f /var/log/zeek/current/conn.log

🚀 Expected Outcome:
• Suricata alerts on known attacks.
• Zeek detects unusual traffic patterns.

🚀🔐
By mastering intrusion detection mechanisms, you strengthen your cybersecurity defenses
against evolving threats!
=======================================================================
================

Module 5: Intrusion Prevention and Response

Intrusion Prevention Systems (IPS) proactively block cyber threats and help organizations
mitigate security incidents before they cause damage. This module covers IPS prevention
techniques, incident response strategies, and real-world case studies demonstrating how
IDS/IPS helps in cybersecurity defense.

1. IPS Prevention Techniques

IPS enhances security by blocking malicious traffic in real time. It uses several techniques to
inspect, filter, and prevent attacks.

1.1 Packet Filtering and Deep Packet Inspection (DPI)

📌 Packet Filtering:
• Examines header information of packets.
• Uses rules and ACLs (Access Control Lists) to allow or block traffic.
• Works at Layer 3 (IP) and Layer 4 (Transport Layer - TCP/UDP).
✅ Example: Firewall-based Packet Filtering
iptables -A INPUT -p tcp --dport 22 -j DROP

• Blocks all SSH traffic to the server on port 22.

📌 Deep Packet Inspection (DPI):
• Analyzes full packet content (not just headers).
 • Detects malware, unauthorized protocols, or data leaks.
• Works at Layer 7 (Application Layer).
✅ Example: DPI Usage in IPS
• Detecting malicious payloads in HTTP traffic.
• Blocking encrypted command-and-control traffic used by malware.
• Preventing data exfiltration (e.g., credit card theft via HTTP POST requests).
🚀 Best Practice: Combine Packet Filtering & DPI for a multi-layered defense.
1.2 Automated Attack Mitigation Techniques
📌 IPS takes automatic actions to block threats, including:
1. Blocking malicious IPs using threat intelligence databases.
2. Rate limiting suspicious traffic (e.g., DDoS attack mitigation).
3. Updating firewall rules dynamically when an attack is detected.
4. Terminating suspicious user sessions (e.g., brute force login attempts).
✅ Example: Suricata IPS Blocking Malicious Traffic
alert http any any -> any any (msg:"SQL Injection Attempt Detected";
content:"UNION SELECT"; nocase; sid:10001; drop;)

• This rule detects and drops HTTP traffic containing SQL injection attempts.
🚀 Best Practice: Use IPS automation to reduce manual response time.
1.3 IDS vs. IPS Decision Making (Passive vs. Active Response)
📌 IDS (Passive) vs. IPS (Active) Comparison
Feature IDS (Intrusion Detection System) IPS (Intrusion Prevention System)
Function Monitors & detects attacks Detects & prevents attacks
Response Passive (alerts admin) Active (blocks malicious traffic)
Impact on Traffic No interference May introduce latency
Placement Network tap or SPAN port Inline with network flow

✅
Example Snort (IDS mode) Suricata (IPS mode)
When to Choose IDS vs. IPS
• Use IDS when monitoring internal networks for insider threats.
• Use IPS when securing perimeter networks (e.g., firewalls + IPS).
🚀 Best Practice: Combine IDS & IPS for layered threat detection and prevention.
2. Incident Response and Threat Mitigation
When IDS alerts indicate an attack, security teams must respond quickly. This section covers the
incident response process, SOC operations, and real-world attack handling.

2.1 Steps in Handling IDS Alerts (Triage, Analysis, Response)

📌 Step 1: Alert Triage
• Prioritize alerts based on severity.
• Filter out false positives to avoid alert fatigue.
• Example: A single failed login attempt is low priority, but 10,000 failed logins from
different locations indicate brute force.
📌 Step 2: Threat Analysis
• Investigate logs & packet captures to confirm threats.
• Use threat intelligence (IP reputation lists, MITRE ATT&CK framework).
• Example: Analyzing Suricata fast.log to check malicious traffic:
cat /var/log/suricata/fast.log

📌 Step 3: Incident Response

• Contain the attack (e.g., block attacker IP, disable compromised accounts).
• Mitigate damage (e.g., update firewall rules, deploy patches).
• Document and improve security policies for future protection.
🚀 Best Practice: Use SIEM (Security Information & Event Management) to correlate IDS
alerts with logs and automate responses.

2.2 SOC Operations and IDS/IPS Integration in Incident Handling

📌 Security Operations Center (SOC) Responsibilities:
• Monitor security alerts from IDS, IPS, firewalls, and SIEM.
• Investigate security incidents and take action.
• Perform forensic analysis to trace attack origins.
• Coordinate incident response with cybersecurity teams.
🚀 Example: How a SOC Handles an IDS Alert
1. IDS detects an SSH brute-force attack.
2. SOC analysts verify the attack using logs.
3. IPS automatically blocks the attacker's IP address.
4. SOC updates firewall policies to prevent future attacks.
✅ SOC Tools for IDS/IPS Integration
• SIEM Solutions: Splunk, Wazuh, IBM QRadar.
• Threat Intelligence Platforms: AlienVault OTX, Cisco Talos.
🚀 Best Practice: Integrate IDS/IPS with SIEM for faster threat response.
2.3 Case Studies on Real-World Attacks and Responses
Case Study 1: DDoS Attack on an E-commerce Website
📌 Scenario:
• Attackers launched a botnet-driven DDoS attack on a shopping website.
• The IDS detected excessive requests from multiple IPs.
🚀 Response:
1. SOC identified attack patterns using Suricata logs.
2. IPS applied rate limiting to block suspicious traffic.
3. Cloudflare Web Application Firewall (WAF) mitigated HTTP flood attacks.
4. Threat intelligence blocked known botnet IPs.
✅ Outcome: The website remained operational with minimal disruption.
Case Study 2: SQL Injection Attack on a Financial Database
📌 Scenario:
• An attacker tried to extract customer data using SQL injection.
• The IDS detected "SELECT * FROM users" in HTTP requests.
🚀 Response:
1. IPS blocked malicious queries in real-time.
2. SOC performed forensic analysis on affected systems.
3. Developers applied input validation to fix the vulnerability.
4. Database access logs were reviewed for further investigation.
✅ Outcome: The attack was stopped before customer data was leaked.
Case Study 3: Ransomware Infection in a Corporate Network
📌 Scenario:
• A phishing email tricked an employee into downloading ransomware.
• The ransomware encrypted company files and demanded payment.
🚀 Response:
1. IDS detected suspicious PowerShell activity on the infected system.
2. IPS isolated the infected machine to prevent lateral movement.
3. SOC restored data from backups and reset employee credentials.
4. Security awareness training was provided to prevent future incidents.
✅ Outcome: The ransomware attack was contained without paying ransom.
Conclusion
• IPS prevents attacks using packet filtering, DPI, and automated mitigation.
• IDS alerts require triage, analysis, and response to handle security incidents.
• SOC teams integrate IDS/IPS with SIEM for better threat detection and faster
response.
• Real-world case studies demonstrate how IDS/IPS prevent security breaches.

Hands-on Lab: Configuring IPS for Attack Prevention

💻 Objective: Deploy Suricata as an IPS to block SQL injection.
Step 1: Install Suricata
sudo apt update
sudo apt install suricata -y

Step 2: Enable IPS Mode

Edit /etc/suricata/suricata.yaml:
outputs:
- drop:
enabled: yes

Restart Suricata:
sudo systemctl restart suricata

Step 3: Test IPS Blocking

Run SQL injection attack:
curl -A "MaliciousBot" http://victim-site.com/index.php?id=1' OR '1'='1

🚀 Expected Outcome:
• Suricata should block the request.
• Alert logs should confirm an SQL injection attempt.

🚀🔐
By mastering intrusion prevention and response, you can build a resilient cybersecurity defense
against real-world threats!
=======================================================================
===================
Module 6: Advanced Threat Detection and AI-
driven IDS
With cyber threats evolving rapidly, traditional IDS/IPS mechanisms struggle to detect
sophisticated attacks. This module explores AI-driven intrusion detection, real-time threat
hunting, and evasion techniques used by attackers. By integrating machine learning (ML) and
artificial intelligence (AI), IDS/IPS can predict, detect, and respond to advanced threats more
effectively.

1. Machine Learning & AI in IDS/IPS

AI and ML enhance IDS by analyzing vast amounts of network traffic and identifying complex
attack patterns beyond traditional signature-based methods.

1.1 Supervised vs. Unsupervised Learning for Anomaly Detection

📌 How ML Detects Threats:
• Supervised Learning: Uses labeled datasets (e.g., "malicious" vs. "benign" traffic) to train
IDS models.
• Unsupervised Learning: Identifies anomalies in network behavior without predefined
labels.

Type Function Use Case Example Algorithms

Supervised Learns from past attack data to Email phishing Decision Trees, Random
Learning classify threats detection Forest, SVM
Unsupervised Identifies unknown attacks by Zero-day attack K-Means Clustering,
Learning detecting unusual patterns detection Isolation Forest
Deep Learning Learns from large datasets to Advanced malware Neural Networks

🚀
(AI) adapt to new threats detection (LSTM, CNN)
Example AI-based IDS Tools:
• IBM Watson for Cybersecurity (AI-driven threat intelligence)
• Darktrace (AI-powered anomaly detection)
• Vectra AI (Behavioral-based threat detection)

1.2 AI-Based Threat Intelligence Platforms

📌 Threat intelligence platforms (TIPs) use AI to:
1. Aggregate data from multiple sources (e.g., security feeds, IDS logs, honeypots).
2. Identify threat patterns across networks.
3. Predict emerging threats before they cause damage.
✅ Example Threat Intelligence Platforms:
• CrowdStrike Falcon – AI-driven endpoint protection.
 • Cisco Talos – Real-time threat intelligence.
• AlienVault OTX – Community-based cyber threat sharing.
🚀 Best Practice: Integrate AI-driven threat intelligence with IDS for proactive defense.
2. Threat Hunting using IDS
Threat hunting is a proactive approach to detect cyber threats before they trigger alerts.

2.1 Real-time Threat Hunting Techniques

📌 How Threat Hunting Works:
1. Collect IDS logs and analyze network behavior.
2. Use threat intelligence to correlate suspicious patterns.
3. Manually investigate anomalies that bypass automated IDS alerts.
✅ Threat Hunting Methods:
Technique Function Example
Identifies deviations from normal Abnormal login attempts from
Behavioral Analysis
activity multiple locations
Indicators of
Matches known attack signatures IPs associated with botnets
Compromise (IoC)
Threat Intelligence Matching IDS alerts with external
Cross-references attack patterns
🚀
Correlation threat feeds
Example Tools for Threat Hunting:
• Zeek (Bro IDS) – Network behavior analysis.
• Wazuh – SIEM + HIDS integration.
• Splunk – Log correlation and forensic analysis.

2.2 Using IDS Logs for Forensic Investigations

📌 Incident Response Workflow:
1. Extract IDS logs for analysis:
cat /var/log/suricata/fast.log | grep "ALERT"

2. Analyze attack patterns using forensic tools (e.g., Wireshark, Zeek).

3. Trace the attack timeline to determine entry points and affected systems.
4. Generate a report and apply security fixes.
🚀 Best Practice: Store IDS logs for at least 6 months for forensic audits.
3. Evasion Techniques and Anti-IDS Strategies
Attackers use evasion techniques to bypass IDS detection. Understanding these techniques helps
security teams develop countermeasures.

3.1 IDS Evasion using Polymorphic Attacks

📌 Polymorphic Malware:
• Changes code structure while keeping functionality intact.
• Encrypts payloads to evade signature-based IDS.
• Uses code obfuscation to bypass detection.
🚀 Example Evasion Tactics:
• Metasploit encoding: Attackers encode payloads to avoid IDS detection.
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5

• Packing & Encryption: Malware compresses itself to change signatures dynamically.

✅ Countermeasures:
• Use anomaly-based IDS (e.g., Zeek) instead of relying only on signature detection.
• Deploy sandboxing to analyze suspicious files before execution.

3.2 Encrypted Traffic Analysis for Intrusion Detection

📌 Challenges with Encrypted Traffic:
• Traditional IDS cannot inspect encrypted payloads.
• Attackers use TLS encryption to hide malicious communication.
• VPNs and proxies can be used to mask attacker locations.
🚀 Solutions for Encrypted Threat Detection:
Method Function
TLS Fingerprinting Identifies anomalies in encrypted traffic patterns.
SSL Inspection Decrypts traffic for IDS analysis (requires proper security policies).

✅
Machine Learning (AI) Detects encrypted command-and-control (C2) traffic.
Example Tool: Zeek (Bro IDS) can analyze TLS certificates and anomalies:
cat /var/log/zeek/ssl.log | grep "self-signed"

🚀 Best Practice: Use AI-driven traffic analysis to detect encrypted threats.

3.3 Countering IDS Evasion Techniques
Attackers often modify attack payloads to bypass IDS detection. Security teams must counter
evasion techniques effectively.
✅ Best Practices to Counter IDS Evasion:
 Evasion Tactic Countermeasure
Polymorphic Malware Use heuristic and anomaly-based IDS.
Encrypted Traffic Deploy TLS fingerprinting and AI-based analysis.
Fragmented Packets Enable reassembly features in IDS (e.g., Suricata).

🚀
Slow-rate Attacks Monitor low & slow attacks using behavior-based detection.
Example: Enabling IDS Fragment Reassembly in Suricata
stream:
reassembly:
enabled: yes

✅ Outcome: IDS can detect fragmented attack payloads.

Conclusion
• Machine learning & AI improve IDS accuracy by detecting unknown threats.
• Threat hunting with IDS helps proactively detect attackers before breaches occur.
• Polymorphic malware and encrypted traffic challenge traditional IDS, requiring AI-
driven detection.
• Countering IDS evasion techniques ensures stronger network security.

Hands-on Lab: AI-Based Threat Detection using Zeek

💻 Objective: Use Zeek IDS to analyze anomalous traffic patterns.
Step 1: Install Zeek
sudo apt update
sudo apt install zeek -y

Step 2: Start Zeek Monitoring

sudo zeekctl deploy

Step 3: Analyze Encrypted Traffic for Anomalies

cat /var/log/zeek/ssl.log | grep "self-signed"

🚀 Expected Outcome: Identifies self-signed certificates often used in phishing and malware
C2 communication.

Next Steps
• Integrate AI-powered SIEM tools (e.g., Splunk, ELK Stack) with IDS logs.
• Deploy AI-based anomaly detection models to improve security posture.
• Use Zeek for threat hunting in encrypted traffic scenarios.
🚀 By mastering AI-driven IDS, you enhance security posture against evolving cyber
threats! 🔐
=======================================================================
============

Module 7: IDS and IDP in Cloud and IoT

Security
As enterprises move their infrastructure to the cloud and deploy IoT devices in critical sectors,
intrusion detection and prevention strategies must evolve. This module explores cloud-based
IDS/IPS, IoT security challenges, and AI-driven intrusion detection solutions.

1. Cloud-Based IDS & IDP

Cloud environments introduce unique security challenges, such as dynamic IP addressing,
encryption, and lack of visibility. Traditional IDS/IPS solutions struggle to monitor, detect, and
respond to cloud-based threats effectively.

1.1 Challenges in Cloud Intrusion Detection

📌 Why is IDS/IPS in the Cloud Difficult?
Challenge Explanation
Traditional IDS monitors on-prem traffic, but cloud workloads often
Lack of Visibility
lack packet-level access.
Shared Responsibility Cloud providers secure infrastructure, but customers must secure
Model applications and data.
Most cloud traffic is encrypted (HTTPS, TLS), making deep packet
Encrypted Traffic
inspection difficult.
Cloud workloads scale up/down dynamically, making IDS sensor
Dynamic Scaling
deployment complex.
Multi-Tenant Public cloud hosts multiple customers, making cross-tenant attacks

🚀
Environments difficult to detect.
Mitigation Strategies:
• Deploy agent-based IDS/IPS for host-level monitoring.
• Use cloud-native security services to gain visibility.
• Leverage AI-driven behavioral detection for anomaly-based intrusion detection.

1.2 Cloud-Native IDS Solutions

Public cloud providers offer built-in IDS/IPS solutions that integrate with cloud security services.
 Cloud Native IDS
Key Features
Provider Solution
AI-driven, detects compromised instances, integrated with
AWS GuardDuty
AWS Security Hub.
Azure Azure Sentinel Cloud SIEM, correlates IDS logs with threat intelligence.
Chronicle
Google Cloud Scalable threat detection, integrates with SIEM & IDS.
✅
Security
Example: Configuring AWS GuardDuty for Intrusion Detection
1. Enable GuardDuty in AWS Console.
2. Set up CloudTrail logging to capture user activities.
3. Monitor GuardDuty alerts for suspicious activity (e.g., unusual API calls, brute force
attempts).
4. Automate remediation using AWS Lambda functions.
🚀 Best Practice: Integrate cloud IDS with SIEM (e.g., Splunk, IBM QRadar) for centralized
threat analysis.

2. IDS for IoT Security

IoT (Internet of Things) devices are widely used in critical sectors (e.g., healthcare, smart cities,
industrial systems) but lack built-in security, making them prime targets for cyberattacks.

2.1 Challenges in IoT Intrusion Detection

📌 Why is IoT Security Difficult?
Challenge Explanation
IoT devices have low CPU, memory, and storage, limiting IDS
Limited Resources
capabilities.
Diverse Protocols Uses MQTT, CoAP, Zigbee, unlike traditional TCP/IP networks.
IoT devices come from multiple vendors with inconsistent security
Device Heterogeneity
standards.
Weak Authentication Many IoT devices have default passwords and lack encryption.

🚀
Firmware Exploits IoT devices often run outdated firmware with unpatched vulnerabilities.
Mitigation Strategies:
• Deploy lightweight IDS solutions optimized for low-power IoT devices.
• Use behavioral anomaly detection to identify deviations in normal IoT traffic.
• Implement AI-driven intrusion detection to detect real-time IoT threats.

2.2 Lightweight IDS for IoT Devices

Traditional IDS solutions cannot run on low-power IoT devices. Lightweight IDS solutions
provide efficient, real-time threat detection.
✅ Examples of Lightweight IDS for IoT:
 Tool Type Use Case
Kaliot Host-based IDS Monitors logs & firmware integrity.
SVELTE Network-based IDS Detects IoT botnets & malware.

📌
Arduino-based IDS Anomaly-based IDS Detects suspicious traffic on IoT networks.
How Lightweight IDS Works:
• Monitors network traffic using signature & anomaly-based methods.
• Uses minimal system resources to avoid device overload.
• Alerts admins when IoT devices show abnormal behavior.
✅ Example: Deploying SVELTE IDS for IoT Security
1. Install SVELTE on an IoT gateway (Raspberry Pi, Linux server).
2. Monitor IoT network traffic for unusual activity.
3. Block IoT malware (e.g., Mirai botnet) using IDS rules.
4. Send alerts to SIEM for analysis.
🚀 Best Practice: Use lightweight IDS in combination with network monitoring to detect
compromised IoT devices.

2.3 AI-driven IDS for IoT Threat Detection

AI-powered IDS is essential for IoT security due to complex attack patterns and evolving
threats.
📌 How AI-based IDS Works in IoT:
1. Analyzes IoT device behavior to detect anomalies.
2. Identifies malicious traffic using ML-based classification.
3. Correlates IoT logs with global threat intelligence.
✅ Examples of AI-Driven IoT IDS Solutions:
Tool AI Technique Use Case
Machine learning-based anomaly
Darktrace for IoT Identifies IoT malware & APTs.
detection
Azure IoT Defender AI-driven behavioral analysis Detects IoT device tampering.
Google Chronicle for Identifies IoT network
AI-based threat intelligence
🚀
IoT anomalies.
Example: Deploying AI-based IDS for IoT Security
1. Integrate Darktrace with IoT network.
2. Monitor AI-generated alerts for abnormal IoT behavior.
3. Use automated response mechanisms (e.g., quarantine infected IoT devices).
4. Improve IoT security policies based on threat intelligence.
Conclusion
• Cloud-based IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle) provides real-
time monitoring for cloud security.
• IoT security requires lightweight IDS solutions (e.g., SVELTE, Kaliot) to detect device-
level intrusions.
• AI-driven IDS improves IoT threat detection by analyzing behavior patterns and using
real-time threat intelligence.
• Cloud & IoT intrusion detection must adapt to modern attack vectors, requiring hybrid
AI-based approaches.

Hands-on Lab: Implementing Cloud & IoT IDS

💻 Objective: Deploy AWS GuardDuty (Cloud IDS) & SVELTE (IoT IDS).
Step 1: Enable AWS GuardDuty for Cloud Intrusion Detection
1. Log in to AWS Console.
2. Go to GuardDuty → Click Enable GuardDuty.
3. Monitor GuardDuty alerts for suspicious API activity.
4. Automate responses using AWS Lambda.

Step 2: Install SVELTE for IoT Threat Detection

git clone https://github.com/secure-iot/svelte.git
cd svelte
sudo ./install.sh

• Monitors IoT network traffic for botnets and malware.

• Logs intrusion attempts for further analysis.
🚀 Expected Outcome:
• AWS GuardDuty detects unusual cloud activities (e.g., API brute force attempts).
• SVELTE identifies IoT malware behavior and alerts admins.

Next Steps
• Integrate AI-based IDS into IoT environments for advanced anomaly detection.
• Deploy hybrid cloud-IoT security solutions to detect threats across multiple
environments.
• Use SIEM tools (Splunk, Wazuh) to correlate cloud & IoT security logs.
🚀 By mastering cloud and IoT IDS, you enhance your ability to detect and prevent modern
cyber threats! 🔐
====================================================================
Module 8: IDS and IDP Hands-on Labs and
Case Studies
This module is designed to provide practical, hands-on experience with IDS and IPS tools
through guided labs. Additionally, we will analyze real-world cyberattacks and learn how IDS/IPS
solutions played a role in their detection and mitigation.

Lab 1: Installing and Configuring Snort

Objective: Install Snort, create custom rules, and analyze network traffic for threats.

Step 1: Install Snort

On Ubuntu/Debian:
sudo apt update
sudo apt install snort -y

On CentOS/RHEL:
sudo yum install snort -y

Check Snort version:

snort -V

Step 2: Writing Custom Snort Rules

📌 Create a custom rule file:
sudo nano /etc/snort/rules/custom.rules

✅ Example 1: Detecting PING (ICMP) Scans

alert icmp any any -> any any (msg:"ICMP Echo Request Detected"; sid:1000001;)

✅ Example 2: Detecting HTTP SQL Injection

alert tcp any any -> any 80 (msg:"SQL Injection Attempt"; content:"UNION
SELECT"; nocase; sid:1000002;)

Save the file and update snort.conf:

echo "include /etc/snort/rules/custom.rules" >> /etc/snort/snort.conf

Restart Snort:
sudo systemctl restart snort
Step 3: Detecting Malicious Traffic with Snort
📌 Simulate an attack (ICMP ping flood):
ping -c 5 <target_IP>

📌 Check Snort logs for alerts:

cat /var/log/snort/alert

🚀 Outcome: Snort detects and logs malicious activity.

Lab 2: Analyzing Network Traffic using Zeek (Bro IDS)
Objective: Use Zeek IDS to monitor network activity and analyze attack patterns.

Step 1: Install Zeek

sudo apt update
sudo apt install zeek -y

Verify installation:
zeek -version

Step 2: Start Zeek to Capture Network Traffic

Enable Zeek:
sudo zeekctl deploy

View active logs:

ls /var/log/zeek/current/

Step 3: Analyze Zeek Logs

📌 View HTTP Traffic Logs
cat /var/log/zeek/current/http.log

📌 Analyze SSL/TLS Traffic (for potential encrypted threats)

cat /var/log/zeek/current/ssl.log

📌 Monitor Suspicious Connections

cat /var/log/zeek/current/conn.log | grep -i "malicious_IP"

🚀 Outcome: Zeek monitors and logs network activity for further analysis.
Lab 3: Setting up Suricata for Real-time Intrusion Prevention
Objective: Install and configure Suricata as an IPS.

Step 1: Install Suricata

sudo apt update
sudo apt install suricata -y

Verify installation:
suricata -V

Step 2: Configure Suricata IPS Mode

Edit suricata.yaml to enable IPS:
sudo nano /etc/suricata/suricata.yaml

Enable drop rules:

outputs:
- drop:
enabled: yes

Restart Suricata:
sudo systemctl restart suricata

Step 3: Integrating Suricata with ELK (Elastic Stack)

📌 Install Filebeat to ship Suricata logs to ELK:
sudo apt install filebeat -y

Enable Suricata module:

sudo filebeat modules enable suricata
sudo filebeat setup
sudo systemctl restart filebeat

🚀 Outcome: Suricata detects attacks in real-time, and logs are visualized in Kibana.
Lab 4: SIEM & IDS Integration
Objective: Use Wazuh (SIEM) and Splunk to analyze IDS logs.

Step 1: Install Wazuh SIEM

curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
sudo bash wazuh-install.sh --wazuh-manager
Step 2: Integrate IDS Logs with Wazuh
📌 Monitor Snort & Suricata logs
sudo tail -f /var/ossec/logs/alerts/alerts.json

📌 Use Wazuh Dashboard for Threat Analysis

• Open Kibana UI (http://<Wazuh_IP>:5601).
• Navigate to Security Events → View IDS logs.
🚀 Outcome: Real-time IDS alerts are correlated and visualized in Wazuh SIEM.
Case Studies
Case Study 1: Analyzing the SolarWinds Supply Chain Attack
📌 What Happened?
• Attackers injected malicious code into SolarWinds Orion software updates.
• The backdoor (SUNBURST) allowed remote access to corporate networks.
📌 How IDS Could Have Detected the Attack ✅ Zeek IDS could analyze C2 communication
patterns. ✅ AI-based IDS could detect anomalous SolarWinds API activity.
🚀 Lesson Learned: Regularly monitor IDS logs for anomalous software behavior.
Case Study 2: How IDS Helped Detect the Log4j Vulnerability
📌 What Happened?
• Attackers exploited the Log4Shell vulnerability (CVE-2021-44228) to execute remote
code.
📌 How IDS Detected the Attack ✅ Suricata rules identified malicious Log4j payloads:
alert http any any -> any any (msg:"Log4Shell Attempt"; content:"jndi:ldap://";
sid:1000003;)

✅ Snort detected unusual outbound connections to attacker-controlled LDAP servers.

🚀 Lesson Learned: Signature-based IDS must be regularly updated with new attack
patterns.

Case Study 3: Learning from WannaCry and Ransomware Attacks

📌 What Happened?
• WannaCry used SMB vulnerabilities to spread ransomware worldwide.
📌 How IDS Prevented WannaCry Spread ✅ Snort rule for detecting SMB exploitation:
alert tcp any any -> any 445 (msg:"WannaCry SMB Exploit"; content:"ETERNALBLUE";
sid:1000004;)

✅ Zeek monitored outbound traffic for ransomware C2 connections.

🚀 Lesson Learned: Use IDS for detecting ransomware behavior in early attack phases.
Conclusion
🔹 Snort, Suricata, and Zeek are essential IDS tools for real-time network monitoring.
🔹 SIEM solutions (Wazuh, Splunk) improve IDS log analysis and threat intelligence
🔹 Real-world attacks like SolarWinds, Log4j, and WannaCry highlight the importance of
correlation.

IDS for threat detection.

🚀 By mastering IDS hands-on labs, you develop critical cybersecurity skills for detecting
modern threats! 🔐