March 21 Update

Test Environment Setup

I configured three VirtualBox VMs (2vCPU, 4GB RAM each) running Ubuntu 24.04 LTS:

1. Attacker Machine: (192.168.56.10)

   • Tools: Metasploit Framework 6.4, Scapy, iPerf3

2. Snort Machine (Signature-based IDS): 192.168.56.20

   • Snort 3.1.58 with Emerging Threats Open Ruleset

3. Suricata Machine (Anomaly-based IDS): 192.168.56.30

   • Suricata 7.0.7 with anomaly detection enabled

All VMs were connected via an internal "testnet" network with promiscuous mode enabled to allow packet inspection.

Methodology

1. Attack Simulation:

   • Known Exploit: Used Metasploit’s unix/misc/distcc_exec module to exploit a vulnerable DistCC service on the target machines:

msf > use exploit/unix/misc/distcc_exec

msf exploit(distcc_exec) > set RHOSTS 192.168.56.20

msf exploit(distcc_exec) > exploit

1. This exploit provided a shell on the target machine, simulating a real-world attack scenario.

• Custom Traffic: Crafted malformed HTTP packets using Scapy to test anomaly detection capabilities

• Normal Traffic: Generated web and SSH traffic using iPerf3 and curl scripts to simulate benign activity.

2. Data Collection:

   • Monitored IDS alerts using logs from Snot and Suricata

   • Measured CPU/RAM usage using htop.

Preliminary Results 

Key Observations

1. Snort excelled at detecting known exploits but failed to identify novel traffic patterns without predefined rules.

2. Suricata successfully flagged some custom attacks through anomaly detection but produced more false positives during normal traffic simulations.

3. Resource usage was significantly higher on Suricata due to its deeper packet inspection and anomaly analysis capabilities.

Challenges & Next Steps

• Configuration Adjustments: Suricata required extensive tuning of anomaly thresholds to reduce false positives.

• Attack Variety: Current tests focused on DistCC exploits; future tests will include a broader range of attack vectors.

• Centralized Logging: Implement a custom logging script instead of relying on the built in logging for Snort and Suricata with separate logging for performance

Initial results indicate that Snort is more efficient for detecting known threats, while Suricata offers broader detection capabilities at the cost of higher resource consumption and false positives. Further testing will help refine these findings and provide actionable insights for IDS deployment in dynamic environments.