Traffic forwarding for IDS update

2026-02-20 13:50:45 +00:00 · 2023-11-02 16:03:48 +00:00
parent f8797a6702
commit 2af273e8fd
6 changed files with 50 additions and 5 deletions
--- a/modules/utilities/unix/monitoring_ids/mirror_traffic_to_ids_iptables/manifests/install.pp
+++ b/modules/utilities/unix/monitoring_ids/mirror_traffic_to_ids_iptables/manifests/install.pp
@@ -9,5 +9,10 @@ class mirror_traffic_to_ids_iptables::install {
    path     => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
    command  => "iptables -t mangle -A PREROUTING -i `ls /sys/class/net | grep lo -v  | head -n1` -j TEE --gateway $ids_IP_address ; iptables-save > /etc/iptables/rules.v4",
    provider => shell,
+  }->
+  service { 'netfilter-persistent':
+    enable => true,
+    ensure => 'running',
+    provider => systemd,
  }
 }
--- a/modules/utilities/unix/monitoring_ids/mirror_traffic_to_ids_iptables/secgen_metadata.xml
+++ b/modules/utilities/unix/monitoring_ids/mirror_traffic_to_ids_iptables/secgen_metadata.xml
@@ -6,7 +6,15 @@
  <name>Mirror traffic to IDS via IPtables rules</name>
  <author>Z. Cliffe Schreuders</author>
  <module_license>Apache v2</module_license>
-  <description>Forwards all traffic to an IDS, such as Snort. Uses IPtables TEE feature.</description>
+  <description>
+    Forwards all INCOMING traffic to an IDS, such as Snort.
+    This approach means no special networking is required to get monitoring working.
+    However, because each VM only fowards on the traffic it RECEIVES, all VMs in
+    the scenario (including attackers) need this module, so that the IDS sees
+    all the traffic.
+    Snort needs checksums set to none.
+    Uses IPtables TEE feature.
+  </description>

  <type>ids_tools</type>
  <platform>linux</platform>
--- a/modules/utilities/unix/monitoring_ids/snort/templates/snort.debian.conf.erb
+++ b/modules/utilities/unix/monitoring_ids/snort/templates/snort.debian.conf.erb
@@ -15,9 +15,11 @@

 DEBIAN_SNORT_STARTUP="boot"
 DEBIAN_SNORT_HOME_NET="any"
-DEBIAN_SNORT_OPTIONS=""
+# The way we mirror traffic means that checksums needs to be disabled
+DEBIAN_SNORT_OPTIONS="-k none"

-# Our oVirt uses ens3, Proxmox uses ens18 change this if it's not the name of your interface
+# Our oVirt VMs use ens3, Proxmox uses ens18
+# Change this if it's not the name of your interface
 DEBIAN_SNORT_INTERFACE="ens18"

 DEBIAN_SNORT_SEND_STATS="true"
--- a/scenarios/labs/response_and_investigation/5_ids_rules.xml
+++ b/scenarios/labs/response_and_investigation/5_ids_rules.xml
@@ -6,7 +6,13 @@

  <name>IDS rules lab</name>
  <author>Z. Cliffe Schreuders</author>
-  <description>A Hackerbot lab. Work through the labsheet, then when prompted interact with Hackerbot. </description>
+  <description>
+    In this lab on Intrusion Detection and Prevention Systems, you will delve into the world of network security, learning how to configure and monitor a network using Snort, a popular open-source intrusion detection system. This lab will guide you through the process of setting up Snort, and creating custom intrusion detection rules.
+
+    Throughout this lab, you will gain hands-on experience in configuring Snort to monitor network traffic. You will learn how to create custom Snort rules to detect specific network activities, and use Wireshark to capture and analyze network packets. The lab will also present you with a series of Hackerbot challenges, where you will apply your knowledge to detect and respond to various network attacks. For example, you will create Snort rules to detect attempts to access specific ports, monitor unencrypted email authentication, and more. By the end of this lab, you will have a solid understanding of intrusion detection and prevention systems, as well as practical experience in configuring and monitoring them to safeguard your network from potential threats.
+
+    This is a Hackerbot lab. Work through the labsheet, then when prompted interact with Hackerbot.
+  </description>

  <type>ctf-lab</type>
  <type>hackerbot-lab</type>
@@ -354,6 +360,12 @@
        </generator>
      </input>
    </utility>
+    
+    <utility module_path=".*/mirror_traffic_to_ids_iptables">
+      <input into="ids_IP_address">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </utility>

    <network type="private_network" >
      <input into="IP_address">
--- a/scenarios/labs/response_and_investigation/6_exfiltration_detection.xml
+++ b/scenarios/labs/response_and_investigation/6_exfiltration_detection.xml
@@ -6,7 +6,13 @@

  <name>Exfiltration detection lab</name>
  <author>Z. Cliffe Schreuders</author>
-  <description>A Hackerbot lab. Work through the labsheet, then when prompted interact with Hackerbot. </description>
+  <description>
+    In this lab, you will delve into the critical realm of Data Loss Prevention (DLP) and exfiltration detection. Data loss prevention is a vital cybersecurity practice aimed at safeguarding sensitive information from unauthorized access or leakage. It is highly relevant in today's digital age, where data breaches and insider threats pose significant risks to organizations. This lab provides you with hands-on experience in setting up and configuring Snort, a popular Intrusion Detection System (IDS), to monitor network traffic and detect the unauthorized transfer of sensitive data.
+
+    In this lab, you will learn how to configure Snort to detect unauthorized data transfers and exfiltration. By editing Snort configuration files, you will set up monitoring rules that trigger alerts when sensitive data, like credit card details and national insurance numbers, are being transported over the network. You will also extend your rule to detect the transfer of a fake data file so that your rules are effective without revealing the actual sensitive content. To accomplish this, you'll explore various Snort rule techniques, such as text-based, regular expression-based, and hash-based matching, gaining an in-depth understanding of data loss prevention strategies. By the end of the lab, you'll have practical experience in setting up DLP measures using Snort, a valuable skill for protecting an organization's sensitive data assets.
+
+    This is a Hackerbot lab. Work through the labsheet, then when prompted interact with Hackerbot.
+  </description>

  <type>ctf-lab</type>
  <type>hackerbot-lab</type>
@@ -363,6 +369,12 @@
        </generator>
      </input>
    </utility>
+    
+    <utility module_path=".*/mirror_traffic_to_ids_iptables">
+      <input into="ids_IP_address">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </utility>

    <network type="private_network" >
      <input into="IP_address">
--- a/scenarios/labs/response_and_investigation/hacker_vs_hackerbot_2.xml
+++ b/scenarios/labs/response_and_investigation/hacker_vs_hackerbot_2.xml
@@ -351,6 +351,12 @@
      </input>
    </utility>

+    <utility module_path=".*/mirror_traffic_to_ids_iptables">
+      <input into="ids_IP_address">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </utility>
+
    <network type="private_network" >
      <input into="IP_address">
        <datastore access="3">IP_addresses</datastore>