Master 1 Cybersecurity

Academic year : 2023/2024

Tutored project

IN1 - IDS : Intrusion Detection Systems

Presented by :
AMRANE Lina
HAMADOUCHE Rayane
KHEMAMIL Sabrina

Work requested by :
M. LAHLOU karim
M. Senoussaoui Abdel
Table of contents
Introduction​ 3
CHAPTER 1 : State of the art​ 4
1.1 Motivation : some threats and attacks​ 4
1.1.1 Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks​ 4
1.1.2 DNS Spoofing​ 4
1.1.3 Man-in-the-Middle (MitM) Attacks​ 4
1.1.4 Reverse Shell Attack​ 5
1.1.5 Telnet Brute Force Attack​ 5
1.1.6 SQL injection Attack​ 5
1.2 Networks security​ 5
1.2.1 Identity & Access Management - IAM​ 6
1.2.2 Isolation​ 6
1.2.3 Segmentation​ 7
1.2.4 Traffic encryption​ 7
1.2.5 Logs and journaling​ 7
1.2.6 Redundancy​ 7
1.2.7 Filtering​ 8
1.3 Intrusion detection systems - IDS​ 9
1.3.1 Definitions​ 9
1.3.2 Some IDS solutions​ 9
1.3.3 IDS in Action: Historical Case Studies​ 10
CHAPTER 2 : Network architecture - realization​ 11
2.1 Selection of the network architecture​ 11
2.2 Administration and configuration of the Entreprise grade architecture functionalities​ 13
2.3 Implemented version of the network architecture​ 16
2.2.1 Network configuration​ 16
❖ Vlans configuration​ 17
❖ Router Configuration and Inter-VLAN Routing​ 18
❖ DMZ Configuration and Web Server Setup​ 18
2.2.2 Pfsense Installation and configuration​ 20
2.2.3 Snort configuration​ 22
CHAPTER 3: Vulnerabilities, Attack Simulations, and Intrusion Detection with Snort​ 24
3.1 Diagram of vulnerabilities​ 24
3.2. Enhancing Network Security with pfSense Firewall Protection​ 24
3.2.1. Building a Secure network with pfSense rules​ 24
3.2.2. Preventing Reverse Shell Attacks: Testing Vulnerabilities Before Activating pfSense Rules​ 25
3.3. Attack scenarios and security measures with snort​ 28
3.3.1. Dos attack (syn flooding)​ 28
3.3.2. SQL injection attack​ 30
3.3.3. Port scan Attack​ 33
Conclusion​ 35
ANNEXES​ 44
References​ 46
2
 Introduction

In the current landscape of rapidly evolving cyber threats, ensuring robust network
security has become a paramount concern for organizations across the globe. As cyber
attackers continually develop new techniques to breach defenses, the need for advanced
detection mechanisms to identify and mitigate these threats is more critical than ever.
Intrusion Detection Systems (IDS) play a vital role in this defense strategy by monitoring
network traffic and alerting administrators to potential security incidents.

This report delves into the intricacies of IDS and the detection of simulated attacks,
aiming to provide a comprehensive understanding of both theoretical and practical aspects of
network security. The report is structured into three distinct chapters, each addressing a key
component of our study.

Chapter 1 lays the foundation by exploring various types of existing cyber attacks that
pose significant threats to network integrity. This chapter also discusses a range of
methodologies and best practices for securing a network against these threats. Additionally, it
provides an in-depth overview of Intrusion Detection Systems, highlighting their importance,
functionality, and different types.

Chapter 2 shifts focus to the practical implementation of network security by detailing

our network topology. This chapter describes the architecture of our network, including the
placement and configuration of devices, as well as the rationale behind the design choices
made to optimize security and efficiency.

Chapter 3 culminates our study with an examination of the simulation of attacks and
their detection using IDS. This chapter outlines the steps taken to simulate various attack
scenarios within our network and assesses the effectiveness of the IDS in identifying and
responding to these threats. Through this simulation, we aim to demonstrate the practical
application of IDS and highlight potential areas for improvement in network defense
strategies.

Together, these chapters provide a holistic view of network security, from

understanding fundamental threats to implementing and testing advanced detection systems.
Our report not only underscores the critical role of IDS in modern cybersecurity but also
offers practical insights into designing and maintaining a secure network infrastructure

3
 CHAPTER 1 : State of the art

1.1 Motivation : some threats and attacks

Network attacks encompass a wide range of malicious activities aimed at exploiting
vulnerabilities within network infrastructure, protocols, and services to compromise
confidentiality, integrity, and availability of data and resources. Here's a scientific exploration
of some existing network attacks:

1.1.1 Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)

Attacks
DDoS attacks use multiple compromised devices, called botnets, to launch
simultaneous attacks from different locations. This is for flooding network resources, with a
big amount of requests, overwhelming the traffic or the capacity of the assets and ends with
rattling the service for the legitimate users [2].
Attackers may employ techniques like SYN Flood Attack. This attack abuses the
three-way handshake process of the TCP protocol. the attacker drowns a target server with a
large volume of spoofed TCP SYN packets, each requesting the establishment of a new TCP
connection.The server answers each SYN bundle by sending a SYN-ACK
(synchronization-affirmation) packet back to the indicated source IP address, anticipating an
ACK (affirmation) response to finish the handshake. In any case, on the grounds that the
source IP addresses in the SYN bundles are caricature or inaccessible, the server doesn't
get the normal ACK response, leaving the half-open connections in an undecided state and
consuming server resources, such as memory and CPU [2][5].

1.1.2 DNS Spoofing

DNS spoofing involves attackers to associate legitimate domain names with malicious
IP addresses by hijacking the DNS resolution process and building DNS responses or
exploiting DNS server vulnerabilities. This redirects users trying to access legitimate websites
to malicious sites controlled by attackers, leading to phishing scams, malware downloads, or
data theft [4].

1.1.3 Man-in-the-Middle (MitM) Attacks

MitM attacks intercept and modify in some cases communication between two parties,
allowing the attacker to listen to sensitive information, modify transmitted data, or act like
legitimate entities [2]. This attack can be accomplished through several techniques such as :

-​ Wiretapping: Wiretapping is a passive MitM attack where the attacker captures and
analyzes transmitted data (potentially sensitive information) after gaining access by
physically tapping network cables, intercepting wireless signals, or compromising network
devices.

4
-​ HTTPS Downgrade Attacks: also known as SSL stripping attacks. The attacker intercepts
the initial HTTPS request and forces it to an unsecured HTTP connection. Many users may
not give attention to the protocol change, and continue to transmit sensitive information in
plaintext, which the attacker can then intercept and exploit [5].
-​ ARP Spoofing: ARP spoofing, is a network attack where an assailant sends distorted ARP
messages to relate their Mac address with the IP address of a genuine network asset. This
makes traffic planned for the genuine device to be diverted to the attacker, permitting them
to catch, change, or block the traffic [5].

1.1.4 Reverse Shell Attack

In a reverse shell attack, the attacker mainly gains initial access to the target machine
by exploiting vulnerabilities in software running on that machine. He uploads and runs a
payload that establishes a reverse shell connection to a listening service on his machine.
This gives the attacker command-line access to the compromised system, enabling them to
execute commands to perform malicious actions [4][5].

1.1.5 Telnet Brute Force Attack

Telnet is a network protocol used to manage network devices remotely. In a brute force
attack, the attacker uses automated tools or scripts to try different username and password
possibilities until they find the correct credentials. Since Telnet conducts login credentials in
plaintext, attackers can easily capture and analyze network traffic to extract sensitive data
[2].

1.1.6 Buffer Overflow Attack

In a buffer overflow attack, the attacker sends input to a program that exceeds the
allocated memory buffer size. This can make the abundance information overwrite adjoining
memory areas, including basic program information or control stream pointers. aggressors
can control program behavior, execute inconsistent code, or gain unauthorized access to the
system [4].

1.1.6 SQL injection Attack

An SQL injection, sometimes abbreviated to SQLi, is a type of vulnerability in which an
attacker uses a piece of SQL code to manipulate a database and gain access to potentially
valuable information. It's one of the most prevalent and threatening types of attack because it
can potentially be used against any web application or website that uses an SQL-based
database (which is most of them) [2].

1.2 Networks security

Measures must be put in place to guarantee the availability, integrity and confidentiality
of services and data stored and transmitted in the network. Among these measures, we
count :

5
 1.2.1 Identity & Access Management - IAM
This solution uses various scientific principles to establish and enforce secure access
controls.

1.2.1.1 Authentication Methods

-​ Biometric Authentication using fingerprints, iris patterns, or facial features and

Password-based Authentication
-​ Multi-factor Authentication (MFA): Combines two or more factors (e.g., password, smart
card, biometric trait) to enhance security, leveraging principles from cryptography and
human-computer interaction.
-​ Token-based Authentication: Uses physical or digital tokens (e.g., smart cards, USB tokens,
mobile apps) to generate one-time passwords or cryptographic keys, based on
cryptography and secure hardware design.

1.2.1.2 Access Management Strategies

-​ Role-Based Access Control (RBAC): Assigns permissions based on predefined

organizational roles [9].
-​ Attribute-Based Access Control (ABAC): Dynamically assigns access rights based on user
attributes, resource attributes, and environmental conditions [9].
-​ Least Privilege Principle: Grants users only the minimum access necessary for their job
functions to minimize security breach impacts and reduce the attack surface.

1.2.1.3 Zero trust concept

Zero Trust is a security approach that adopts a distrust towards all users and devices,
whether internal or external, unlike traditional models that grant implicit trust to internal users
and devices. Zero Trust requires strict verification and authentication for each access
request, regardless of its origin.
Granular access control grants permissions based on specific attributes of the user,
device, and request context, dynamically evaluating each access request based on factors
such as the user's location, time of request, and required security level [9].

1.2.2 Isolation
For securing servers that require public openness, the implementation of a DMZ
(Demilitarized Zone) is imperative. Located between the internal network and the public
network, the DMZ isolates servers like web, email, file, and database servers thanks to the
firewalls (check 1.2.7) that filter incoming and outgoing traffic. This architecture ensures that
while these servers remain accessible from the Internet, they are segregated from the
internal network, maintaining overall network security.

6
 1.2.3 Segmentation
The implementation of VLANs (Virtual Local Area Networks) is a critical security
measure for ensuring the digital security of a data center. VLANs enable the segmentation of
networks into isolated logical subnets, enhancing the security of data and computer systems
by isolating network traffic. Network switches supporting VLAN technology are utilized to
create and manage these isolated subnets, offering options for port association and traffic
filtering between segmentation zones. VLANs can be categorized into various types, such as
port VLANs, protocol-based VLANs, user group VLANs, and subnet VLANs, each catering to
specific segmentation needs. Overall, VLANs provide a flexible and robust network
segmentation solution, strengthening both security and management capabilities within a
data center environment.

1.2.4 Traffic encryption

Traffic encryption is critical for network security, ensuring confidentiality, integrity,
compliance, and data sovereignty. Regulatory standards like RGPD mandate encryption for
compliance, avoiding penalties and legal risks [10]. Encryption protocols like TLS, VPNs,
SSL, and E2EE ensure secure communication, incorporating symmetric and asymmetric
encryption, digital signatures, and key exchange algorithms to establish protected
connections [6][9].

1.2.5 Logs and journaling

The effective utilization of logs and journaling enhances network security by providing
visibility, detection, response capabilities, and forensic analysis capabilities. By implementing
robust logging mechanisms such as collecting and aggregating Logs from multiple sources in
a centralized location - Security Information and Event Management (SIEM) system
-furthermore, driving a Consistent observing of logs and journaling rehearses like file system
or database journaling, we can strengthen our network architecture's versatility to security
dangers and keep up with regulatory standards [10].

1.2.6 Redundancy
Redundancy in networks constitutes a critical security measure by enhancing
availability, resilience and breakdown tolerance, mitigating the risk of network interruption.
Redundancy is provided through diverse mechanisms at various levels of the network
architecture:

-​ Hardware Redundancy: Superfluous hardware assets, such as routers, switches, and

servers, are set up in the network infrastructure to provide backup in case of component
failures. Technics like clustering, mirroring, and hot-swappable components are often used
[6].
-​ Path Redundancy: Multiple physical paths are established between network devices to
enable traffic rerouting in the event of link failures or congestion. Techniques like link

7
 aggregation (e.g IEEE 802.3ad) and multipath routing protocols facilitate load balancing
and fault tolerance by distributing traffic across redundant paths [8].
-​ Logical Redundancy (Protocol Redundancy): Redundant protocols such as redundant
routing via OSPF protocol are established to ensure reliable data transmission and protocol
interoperability.

1.2.7 Filtering
Filtering in network security relates to various mechanisms that control and monitor
network traffic to enhance security. Some of these mechanisms are:

-​ Stateless Packet Filtering: Checks out individual packets based on predefined rules at the
network layer (Layer 3). This filtering lacks state tracking [9].
-​ Stateful Packet Filtering: Keeps context information for active network connections,
boosting security by tracking connection states and spotting suspicious traffic patterns [9].
-​ Application Layer Proxy: Intercepts and inspects network traffic at the application layer
(Layer 7), enforcing security policies and performing content filtering to detect and block
malicious activities.
-​ Transparent Proxy: Intercepts network traffic seamlessly, facilitating real-time analysis and
reducing network-based attacks without user disruption [9].
-​ URL Filtering: Restricts access to websites based on predefined categories, dynamically
blocking access to known malicious domains to prevent exposure to malicious content [7].
-​ Content Inspection: Analyzes the payload of network packets to detect and weaken security
threats such as viruses, Trojans, and exploits, enabling proactive threat detection and
prevention [7].
-​ Application Control: identify and block unauthorized or high-risk applications by supervising
the use of specific applications and protocols within the network environment.

Firewalls control traffic in view of predefined rules. They come in different sorts,
including proxy, and next-generation firewalls (NGFWs), each offering various degrees of
safety. NGFWs are particularly advanced, consolidating classic firewall capabilities with
highlights like intrusion prevention and deep packet inspection. Firewalls operate at multiple
OSI layers, providing protection from basic IP filtering to application-specific traffic analysis.
Key metrics for firewall performance include throughput, latency, and scalability. Firewalls
may also support NAT and VPNs, enhancing security by hiding internal network structures
and enabling secure remote access [9].

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) on their side
offer advanced capabilities for identifying and mitigating security threats. In the next title, we
will elaborate in a detailed way about IDS/IPS and more about IDS since it is the main topic
of our project.

8
 1.3 Intrusion detection systems - IDS
1.3.1 Definitions
Intrusion Prevention Systems (IPS): “A system that is capable of automatically
detecting, classifying, and responding to known or suspected network attacks in progress”
[1]. IPS solutions actively block or mitigate detected security threats in real-time, leveraging
signature-based detection, protocol analysis, and anomaly detection techniques. IPS
solutions complement IDS capabilities by automatically responding to identified threats.

Intrusion Detection Systems (IDS): "A system that monitors the network and/or system
activities for malicious activities or policy violations and produces reports to a management
station" [1]. By correlating network events with predefined signatures and behavioral
abnormalities, IDS solutions provide early warning of potential security incidents, enabling
timely response and mitigation. Here's how IDS work and some examples of attacks they are
capable of detecting:

-​ Network-Based IDS (NIDS): NIDS are put at studied points within the network
infrastructure, such as network perimeter or critical network segments, to monitor inbound
and outbound traffic for signs of doubtful behavior. NIDS analyze network packets in
real-time, comparing them against predefined signatures or behavioral patterns associated
with known attacks. When a match is detected, the NIDS makes an alert [7].
-​ Host-Based IDS (HIDS): HIDS are deployed on individual host systems, such as servers or
endpoints, to supervise system activities and detect unauthorized access, configuration
changes, or abnormal behavior indicative of security incidents. It manages to do this by
analyzing system logs, file integrity, and registry changes. When a security event is
detected, the HIDS generates an alert or logs the event for further analysis [7].

1.3.2 Some IDS solutions

Several IDS solutions are widely used. Here are some of them:

Snort: An open-source network intrusion detection system (NIDS) renowned for its
flexibility and extensive community support. It utilizes signature-based detection, protocol
analysis, and anomaly-based detection to identify and respond to threats [11].

Suricata: Another open-source NIDS that offers high-performance network security

monitoring and intrusion detection capabilities. Suricata supports multi-threading and
rule-based detection, making it suitable for large-scale deployments [11].

Palo Alto Networks PAN-OS: A next-generation firewall platform that includes intrusion
prevention features along with advanced threat detection and prevention capabilities.
PAN-OS offers granular control over network traffic and application-level visibility for
comprehensive security management [12].

IBM QRadar: A SIEM (Security Information and Event Management) solution that
incorporates intrusion detection capabilities alongside log management, threat intelligence,

9
 and behavioral analytics. IBM QRadar provides centralized monitoring and correlation of
security events for proactive threat detection and response [12].

1.3.3 IDS in Action: Historical Case Studies

-​ The birth of IDS (1980s): the concept of Intrusion Detection Systems (IDS) emerged as
researchers sought to improve computer security. Early IDS prototypes, like Dorothy
Denning's model, focused on anomaly detection by analyzing system audit trails [13].
-​ Solar Sunrise (1998): A series of cyberattacks against U.S. Department of Defense
systems, initially suspected to be led by Iraqi hackers, aimed to breach military networks.
Intrusion Detection Systems (IDS) detected anomalous activities, enabling rapid response
and countermeasures, highlighting the importance of IDS in protecting critical infrastructure
[13].
-​ SQL Slammer (2003): A computer worm exploiting Microsoft SQL Server vulnerabilities
caused widespread disruptions. IDS identified and mitigated the worm's spread by
monitoring anomalous behavior, enabling rapid response and minimizing impact,
showcasing IDS's role in combating fast-spreading threats [14].

These case studies demonstrate the significant role played by IDS in detecting and
responding to various cyber threats, ranging from sophisticated cyber espionage campaigns
to fast-spreading worms targeting critical infrastructure and organizations.

10
 CHAPTER 2 : Network architecture - realization

2.1 Selection of the network architecture

Before selecting our network architecture, it's essential to understand two widely used
Cisco models for positioning our choice effectively : 2-layers Architecture (Spine-Leaf) and
3-layers Architecture (cisco) (See Annex : A.1 2-layers Architecture (Spine-Leaf) & A.2
3-layers Architecture (Campus))

●​ What service is provided by our network architecture ?

The service provided by our network architecture is a showcase website for a real estate
agency that presents the development of the agency over time, the agency's team, the
location of the headquarters and a contact interface (see figure 1, 2, 3 : Website interface).
The site is hosted on the web server present in the DMZ .

Figure 1 : Website interface

Figure 2 : Website interface

11
 Figure 3 : Website interface

Considering the simplicity of our service offering, we have determined that the 2-tier
spine-leaf architecture would be more suitable for meeting our requirements. This
architecture efficiently accommodates our needs without the additional complexity and
resources associated with the campus 3-tier architecture of Cisco.

●​ Where to place our firewall ?

Our Firewall is an edge firewall which means that it is positioned at the network edge,
typically at the boundary between our private internal network (LAN), our DMZ and the public
internet. This location provides numerous advantages. It enhances security by acting as a
barrier against unauthorized access and external threats. Additionally, its strategic location
allows for comprehensive logging and monitoring of network activity, enhancing visibility into
potential security threats and compliance. Moreover, the firewall supports network
segmentation, facilitating isolation of security incidents and efficient traffic management
within the network.

●​ Where to place our DMZ ?

Our Demilitarized Zone is directly connected to the firewall, offering several

advantages, particularly in a 2-tier architecture. Firstly, enhanced security segmentation
ensures isolation of external-facing services like our web server from internal resources,
mitigating the risk of unauthorized access. Secondly, centralized security enforcement
simplifies management by consolidating security policies across the network, leading to
easier configuration, monitoring, and auditing. Thirdly, performance is optimized with reduced
latency and overhead by connecting the DMZ directly to the firewall. Finally, scalability and

12
 flexibility are achieved, allowing for easy expansion of DMZ resources without compromising
security or impacting the network architecture.

➢​ Due to the substantial variance observed between the execution of network architectures
and the practical network infrastructure found within enterprise settings, particularly in terms
of resource allocation and operational requirements, a dual approach is proposed : an
enterprise-grade version (figure 4) configured on Packet Tracer and an implemented
version (figure 5) employing virtual machines.

2.2 Administration and configuration of the Entreprise grade

architecture functionalities

Figure 4 : Entreprise grade architecture on Packet tracer

❖​ IP addresses attribution

Vlan / Asset End point assets / IP address Gateway

interface

PC - admin 192.168.10.2
Vlan 10 192.168.10.254
(192.168.10.0/24) PC - Technician 192.168.10.3

Server - DATA 192.168.10.4

PC - HRM 192.168.20.2
Vlan 20 192.168.20.254
(192.168.20.0/24) PC - RH 192.168.20.3

13
 PC - Sales Manager 192.168.30.2
Vlan 30 192.168.30.254
(192.168.30.0/24) PC - Sales consultant 192.168.30.3

Vlan 40 Printer - Admin 192.168.40.2

(192.168.40.0/24) 192.168.40.254
Printer - RH 192.168.40.3

Printer - Sales 192.168.40.4

Multilayer-switch 1 int Gig 1/0/3 192.168.100.1 Virtual HSRP ip@ :

192.168.10.254
int vlan 10 192.168.10.252 192.168.20.254
192.168.30.254
int vlan 20 192.168.20.252 192.168.40.254
int vlan 30 192.168.30.252

int vlan 40 192.168.40.252

Multilayer-switch 0 int Gig 1/0/3 192.168.102.1

int vlan 10 192.168.10.253

int vlan 20 192.168.20.253

int vlan 30 192.168.30.253

int vlan 40 192.168.40.253

Firewall int Gig1/1 192.168.100.2

int Gig1/3 192.168.102.2

int Gig1/4 172.16.0.1

Server DMZ-1 / 172.16.0.3 172.16.0.1

Server Web-server / 172.16.0.2 172.16.0.1

❖​ Vlans configuration

-​ Configuration at the level of the L2 and multilayer switches :

Switch(config)# vlan 10

Switch(config-vlan)# name [name]

Access ports :

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan [ID]

Trunk ports :

Switch(config-if)# switchport mode access

-​ inter-vlan routing on the Multilayer switches :

Assigning an IP address to the VLAN interface : switch(config)# interface vlan <vlan_id>

switch(config-if)# ip address <ip_address> <subnet_mask>

14
 Activation of the routing : switch(config)# ip routing
❖​ Routing configuration : OSPF Protocol
Switch(config)# router ospf 1
Switch(config)# network [network ip@] [masq] area 0

❖​ Removing level 2 loops : STP Protocol

Given the redundancy of the lenses between the switches in our topology, the stp
protocol is essential to eliminate the loops. The Spanning Tree Protocol (STP) is running
independently for each VLAN. This is typical behavior for topologies containing multiple
vlans.

❖​ Multilayer switches redundancy and load balancing : HSRP protocol

To orchestrate the redundancy of our multilayer switches, the HSRP protocol has been
implemented. It consists in creating a virtual common IP address (192.168. … .254) which
will be the default gateway for end point assets and which will allow inter-vlan routing.
A load balancing has been set up between the switches so that VLANs 10 and 20 are
supported by multilayer-switch 1 and the VLANs 30 and 40 are supported by
multilayer-switch 0
HSRP configuration on multilayer switch 1 (The same configuration is done on the multilayer
switch 0, only the priorities are reversed) :

interface vlan10
ip address 192.168.10.252 255.255.255.0
standby 10 ip 192.168.10.254
standby 10 priority 120
standby 10 preempt
exit
interface vlan 20
ip address 192.168.20.252 255.255.255.0
standby 20 ip 192.168.20.254
exit
interface vlan30
ip address 192.168.30.252 255.255.255.0
standby 30 ip 192.168.30.254
standby 30 priority 120
standby 30 preempt
exit
interface vlan 40
ip address 192.168.40.252 255.255.255.0
standby 40 ip 192.168.40.254

Links redundancy : Protocol Etherchannel

Switch# configure terminal
Switch(config)# interface range gigabitEthernet 0/8 - 10
Switch(config-if-range)# channel-group 1 mode active
Switch(config-if-range)# exit
15
 Configuration Results ---> (Check ANNEXES)

2.3 Implemented version of the network architecture

2.2.1 Network configuration

​ Figure 5 : Implemented version of our network architecture

The network architecture implemented in our project differs from the one we designed
using Packet Tracer due to a lack of resources to create multiple virtual machines to simulate
the above network.

As presented in the (figure……) above, we've deployed six virtual machines to replicate our
network environment. Each virtual machine plays a distinct role, essential for mirroring the
functionalities of our network :

●​ Three Ubuntu virtual machines to simulate 3 distinct VLANs:

-​ Vlan 10: Authentification
-​ Vlan 20: HR
-​ Vlan 30: Sales
●​ An Ubuntu virtual machine is used to simulate a router responsible for inter-VLAN
routing.
●​ An Ubuntu virtual machine is used to simulate the DMZ. Within this machine, a web
server is installed to provide a specific service to clients, which, in our case, is a real estate
website.
●​ Another virtual machine is dedicated to hosting the pfSense firewall which is also
including snort (intrusion detection system (IDS)).

In this section, we delve into the practical implementation of the designed architecture.
We provide a detailed overview of the network topology, VLAN configuration, router settings
for inter-VLAN routing, DMZ setup with a web server, configuration of the pfSense firewall, and
the integration of Snort for enhanced network security.
16
 ❖​ Vlans configuration

To emulate VLANs within VirtualBox, we chose to create individual internal network

interfaces for each virtual machine. Here is the configuration of the Vlans:

●​ VLAN 10: Authentification: it is designated for authentication purposes, the network is

configured with the address range 192.168.10.0/24. A single virtual machine has been

provisioned to fulfill the requirements of this VLAN. This virtual machine is equipped with a

network interface of type "internal network “, facilitating communication exclusively within

VLAN 10.” see Figure 1”

Configuration Details:

The configuration of a virtual machine that belongs to the Vlan 10 is presented in the figure

“Figure2”

For the two other VLANs, the setup will be identical, with only the configuration details

changing as follows:

name of vm Subnet address IP address of gateway

vm (static)

Vlan20 Sales 192.168.20.0/24 192.168.20.2 192.168.20.1

Vlan30 Human resources 192.168.30.0/24 192.168.30.2 192.168.30.1

The virtual machine designed for VLAN30 is dedicated to the sales department. We've

set up a MySQL database containing one single table named "contact." This database is

linked to a website hosted on a web server situated in the DMZ. Consequently, whenever

someone interacts with the website, all the information provided along with any messages

entered into a contact form are automatically inserted into this database hosted on the virtual

machine.

To achieve this, we initially established a MySQL server and configured it to allow remote

connections. This setup enables the virtual machine hosting the web server to connect to the

MySQL server remotely, facilitating interaction between the two components.

17
 Figure 6 – Connexion to the database from the DMZ

❖​ Router Configuration and Inter-VLAN Routing

Regarding the router, we created an Ubuntu virtual machine equipped with 4 internal
network interfaces. Three of these interfaces are connected to the previously defined
VLANs,(v10,v20,v30) while the fourth will be linked to pfSense (LAN). We configured this
router to perform inter-VLAN routing, enabling communication between different VLANs within
the network.(see Figure 3)

After ensuring that we have our four interfaces, we need to navigate to the file
"/etc/network/interfaces" to configure our network interfaces. We do not assign a gateway to
the interfaces connected to the VLANs because our router will serve as the gateway for these
networks. However, for the LAN network with the address range "192.168.0.0/24", it has a
gateway at "192.168.0.1" to which our router will forward requests when it cannot handle them.
We can then restart our network service to apply the changes.(see configuring the interface of
the router linked to pfsense and configuring the interface of the router linked to Vlan30 )

●​ Enable router mode :

By default, a Linux machine does not forward packets as a router should. Therefore, we
need to enable this functionality, which is in the form of an option in the file
"/etc/sysctl.conf". We should search for the following line in order to uncomment it[17]:

net.ipv4.ip_forward=1

This option enables packet forwarding, allowing packets to be relayed from one interface to
another, or more precisely, from one network to another.(see B.8 Inter Vlans routing)

❖​ DMZ Configuration and Web Server Setup

●​ Overview of DMZ Emulation Approach

To simulate a DMZ within VirtualBox, we opted to create a separate internal network

interface for virtual machine hosting services in the DMZ. This approach allows us to isolate

18
public-facing services, enhancing network security by segregating them from the internal
network.

●​ DMZ setup
The configuration of the Dmz in virtualbox is presented on the screenshot below:

Figure 7 – configuration of the DMZ on virtual box

●​ Details configurations

Subnet: 172.16.0.2/24 (DMZ subnet)

Virtual Machine : Web Server (Apache2)

●​ Network Interface: Internal network (DMZ)

●​ IP Address: 172.16.0.2
●​ Gateway: 172.16.0.1
●​ Explanation of Configuration

The subnet 172.16.0.0/24 was selected for our DMZ to clearly differentiate it from the
internal LAN. This designated subnet provides an exclusive address range tailored for
hosting public-facing services within the DMZ, thus ensuring a distinct separation from
internal network resources.

By implementing this configuration, we effectively segregate public-facing services within

the DMZ, significantly enhancing network security by isolating them from internal network
resources.

For our project, the installation and configuration of an Apache web server play a crucial
role in establishing a robust network infrastructure. Beginning with the installation process,
we utilize the package management system of our chosen Linux distribution, such as Ubuntu
or Debian, to install the Apache package using the command `sudo apt install apache2`.
Once installed, Apache is automatically started, and we verify its functionality by accessing
the server's public IP address or domain name in a web browser, where we expect to see the
default Apache2 Ubuntu Default Page.

To ensure seamless operation, we configure Apache to start automatically upon system

boot using the command `sudo systemctl enable apache2`. Additionally, we may need to
adjust firewall settings.

In terms of configuration, we tailor Apache to suit the specific requirements of our

project. This includes adjusting settings in the main configuration file located at
19
`/etc/apache2/apache2.conf`, configuring virtual hosts to host multiple websites if necessary,
specifying the document root directory where website files are stored, and ensuring
appropriate file permissions are set to safeguard against unauthorized access.

Ongoing maintenance is integral to the longevity and security of our Apache server.
Regular updates and monitoring of Apache's error logs, located at
`/var/log/apache2/error.log`, are essential to identify and address any issues promptly. By
following these steps diligently, we establish a resilient Apache web server that forms a
cornerstone of our project's network infrastructure, facilitating reliable and secure web
hosting capabilities.[20]

In our project, we've created a real estate website where visitors can explore properties
and find relevant information. A standout feature of this site is the contact function, allowing
visitors to easily reach out to us. By filling out a simple form, they can get in touch with any
inquiries or requests. This feature streamlines communication, making it easy for potential
clients to connect with us.

2.2.2 Pfsense Installation and configuration

PfSense is an open-source firewall and routing software based on FreeBSD. It
provides firewall features, VPN capabilities, routing functions, and other network services.
pfSense is often deployed as a perimeter firewall, router, wireless access point controller,
DNS server, and DHCP server. It offers a web-based interface for configuration and
management, making it accessible to users without advanced networking knowledge. It's
widely used in small to medium-sized businesses, educational institutions, and home
networks due to its flexibility, reliability, and extensive feature set.[18]

Step 1 - Configuration of Different Network Interfaces:

Two network interfaces have been configured in internal network mode: LAN and DMZ. The
first is dedicated to the LAN 192.168.0.0/24, while the second is intended for the DMZ
172.16.0.0/24. Additionally, a NAT network interface has been set up for the WAN
10.0.2.0/24 .

Three network cards have been added to the virtual machine that will host pfSense. One
card is dedicated to simulating the WAN, a second for the LAN, and a third for the DMZ .

20
 Figure 8 – Configuration of Pfsense on virtualbox

Step 2 - System Installation:

https://www.it-connect.fr/installation-de-pfsense%EF%BB%BF/

Step 3 - Configuration of pfSense Interfaces:

Once pfSense is installed and rebooted, we need to configure the interfaces through the
pfSense web-based administration interface.

From the prompt:

we will assign an IP address to the DMZ (OPT1) and LAN interface using option 2 "Set
interface IP address":

●​ WAN: 10.0.2.4/24 DHCP (from the VMware DHCP server)

●​ LAN: 192.168.0.1/24
●​ DMZ (OPT1): 172.16.0.1/24

At the end of step 3, we were able to achieve this configuration:

21
 Figure 9 – Configuring the pfsense interfaces

Step 4 : Adding static routes:

To enable pfSense to route traffic to the VLANs, we've configured three static routes,

one for each VLAN. Each static route specifies the interface through which traffic should pass

when destined for the respective VLAN. This ensures that packets sent to the VLANs are

correctly routed and reach their intended destinations within the network.

●​ Network : 192.168.10.0/24 -> gateway: 192.168.0.2

●​ Network : 192.168.20.0/24 -> gateway: 192.168.0.2

●​ Network : 192.168.30.0/24 -> gateway: 192.168.0.2

Step 5: Accessing the pfSense Interface:

After configuring the interfaces, we can access the pfSense web interface by opening a
web browser and entering the IP address assigned to the LAN interface, which in this case is
192.168.0.1.
Step 6: DNS Resolution

●​ DNS Resolver: Disable

●​ DNS Forwarder: Enable

2.2.3 Snort configuration

❖​ Configuration of snort on pfsense

Snort is configured as an additional package on pfSense, seamlessly integrating with

the firewall's existing functionalities. Through pfSense's intuitive web interface, Snort rulesets
are easily downloaded and updated, ensuring real-time protection against emerging threats.
Customization options allow for tailored rule configurations, enabling precise detection of
suspicious network activity. By leveraging Snort's advanced features, such as protocol
analysis and signature-based detection, we enhance our ability to identify and mitigate
potential security breaches [19].
22
 Figure 10 – Configuration of snort on pfsense

❖​ Performance Benefits of Snort and pfSense Integration

The integration of Snort with pfSense yields significant performance benefits, bolstering
our network security posture. By leveraging pfSense's robust packet filtering capabilities in
tandem with Snort's intrusion detection capabilities, we achieve comprehensive threat
detection and prevention. The lightweight footprint of Snort ensures minimal impact on
system resources, allowing for efficient utilization of hardware resources without
compromising performance. Furthermore, pfSense's extensive logging and reporting
capabilities complement Snort's detection capabilities, providing actionable insights into
network traffic and security events.

❖​ Deployment on Firewall to Monitor DMZ and LAN

A strategic decision was made to deploy Snort on the firewall to monitor both the DMZ
and LAN segments. This approach allows for centralized monitoring and management of
network traffic across all segments, streamlining security operations and ensuring
comprehensive threat visibility. By extending Snort's coverage to both internal and external
network segments, we fortify our network perimeter against potential intrusions and
unauthorized access attempts. Additionally, this deployment model facilitates proactive threat
detection and response, enabling timely mitigation of security incidents.

In conclusion, the integration of Snort with pfSense represents a powerful combination

for enhancing network security. Through careful configuration and deployment on the firewall,
we achieve robust threat detection and prevention capabilities across all network segments.

​
Figure 11 – Snort interfaces on pfsense

23
CHAPTER 3: Vulnerabilities, Attack Simulations, and Intrusion
Detection with Snort

3.1 Diagram of vulnerabilities

Figure 12 – Diagram of vulnerabilities

3.2. Enhancing Network Security with pfSense Firewall Protection

3.2.1. Building a Secure network with pfSense rules

Our job is therefore to make the web server accessible from the Internet, but that the
LAN is not. On the other hand, from the LAN, it is possible to connect to the web server.
These are the principles of the DMZ architecture [16].

Rules:

So in the first place we must create 3 rules to block access from the DMZ to the WAN, DMZ
to the LAN and the WAN to the LAN:

●​ DMZ --> WAN : blocked

●​ DMZ --> LAN : blocked
●​ WAN --> LAN : blocked

Then we must quickly establish the security policy of the DMZ which allows :

●​ Internet users have access to the WEB server

●​ To the web server to be able to respond to them.
●​ That only ports 80 and 443 (the HTTP and HTTPS ports) are open.
●​ WAN -> DMZ : HTTP/HTTPS allowed
●​ LAN -> DMZ : HTTP/HTTPS/FTP allowed

The LAN must be able to access the WAN but only on the http and https ports:

●​ LAN -> WAN : HTTP/HTTPS allowed

24
 Finally, we must set a port forwarding rule from the WAN address and port 80, to the
web server address and to port 80.

That's it, the three points of our security policy are respected. We were able to secure
our network architecture thanks to the rules of our firewall.(see B.6 Rules on pfsense)

Figure 13 – Firewall policy

3.2.2. Preventing Reverse Shell Attacks: Testing Vulnerabilities Before

Activating pfSense Rules

​ 3.2.2.1 Reverse shell attack simulation

●​ Crafting the Malicious Payload:

We have created a malicious payload designed to establish a reverse shell connection.

This payload was a script that, when executed, would initiate a connection back to our
attacker's machine, providing remote access to the system.

25
 Figure 14 – Reverse shell initiation

●​ Uploading the Malicious Payload

Using the contact page's upload functionality, we successfully uploaded the malicious
payload. The lack of proper input validation and security checks allowed the payload to be
accepted and executed by the server.

Figure 15 – Execution of the payload

●​ Establishing the Reverse Shell Connection

Once the payload was executed, it initiated a reverse shell connection to the attacker's
machine. This connection provided us with a command-line interface, allowing us to
execute arbitrary commands and gain control over the compromised system.

26
 Figure 16 – Establishing the Reverse Shell Connection

The simulation of the reverse shell attack underscored the importance of securing web
application input fields and the critical role of firewall rules in preventing such attacks. Before
the activation of pfSense firewall rules, our system was vulnerable to exploitation through the
upload section on the contact page. This exercise emphasized the necessity of implementing
robust security measures, including input validation, payload sanitization, and the activation
of firewall rules, to defend against reverse shell attacks and other malicious activities. As part
of a holistic cybersecurity strategy, deploying and configuring pfSense firewall rules is
essential to safeguard network infrastructure and protect against evolving threats.(see B.7)

Figure 17 – Reverse shell attack after applying pfsense’s rules

27
3.3. Attack scenarios and security measures with snort
3.3.1. Dos attack (syn flooding)

3.3.1.1 Dos attack simulation

To simulate a SYN flood DoS attack, we utilized a tool called Ettercap in kali linux
which is a network security tool commonly used for man-in-the-middle attacks and network
sniffing. It allows users to intercept, analyze, and manipulate network traffic in real-time,
making it useful for tasks such as network troubleshooting, penetration testing, and security
assessment. After providing the IP address of the WEB server that is located inside the
DMZ, the tool initiated the attack automatically. Within seconds, we observed the website
experiencing damage due to the flood of SYN packets overwhelming the server's capacity to
handle legitimate connections. The idea is that the resources of the WEB server are
consumed by the tool [15].

We can see that in this screenshot :

Figure 18 – Dos attack initiation with Ettercap

28
 Figure 19 – Packets captured by wireshark during the attack

3.3.1.2 Dos attack detection

To detect this type of DoS attack, we've implemented a rule in Snort, an open-source
network intrusion detection system. This rule is designed to scrutinize incoming network
traffic and identify patterns indicative of a SYN flood attack. I'll provide further details on this
rule shortly.

Rule :

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (flags: S; msg:" DOS Attack SYN
Flooding "; flow:stateless; detection_filter: track by_dst, count 100, seconds 1; sid:99999901;
rev:1;)

This Snort rule is crafted to detect SYN flooding attacks targeting port 80 (HTTP) traffic from
any source outside the local network ($EXTERNAL_NET) to any destination within the local
network ($HOME_NET).(see B.9 Explication of the snort rule (Resume reading))

Once the rule is activated and Snort is actively monitoring the network traffic, if another
SYN flood attack is simulated, Snort will detect the attack based on the conditions specified
in the rule. When the attack is detected, Snort will generate alerts in its interface, displaying
the message specified in the rule.

29
 Figure 20 – Detection of dos attack with snort

3.3.1.3 Dos attack Countermeasures

●​ Network Traffic Filtering by blocking known DoS attack vectors, such as SYN flood
or UDP amplification traffic, organizations can mitigate the impact of DoS attacks on
network infrastructure and services.
●​ Limiting the rate of incoming packets or connections and Traffic Shaping.
●​ Deploy Intrusion Detection and Prevention Systems (IDS/IPS) to monitor network
traffic for signs of anomalous behavior indicative of DoS attacks, such as sudden
spikes in traffic volume or unusual patterns of packet flooding.
●​ Utilize Content Delivery Networks (CDNs) to distribute and cache content across
geographically dispersed servers, reducing the impact of DoS attacks by distributing
traffic load and absorbing attack traffic closer to the source.
●​ Engage cloud-based DDoS protection services offered by specialized providers to
mitigate large-scale DDoS attacks targeting network infrastructure or web
applications.

3.3.2. SQL injection attack

3.3.2.1 SQL injection attack simulation

To simulate SQL injection attacks, we began by identifying target web applications and input
fields vulnerable to SQL injection. This involved a thorough analysis of the application's
source code and comprehensive vulnerability scans. With this information, we crafted
malicious input payloads specifically designed to exploit SQL injection vulnerabilities. These
payloads encompassed various techniques, such as union-based, error-based, and blind
SQL injection. Additionally, we leveraged the contact form of the website to inject malicious
code with the objective of dropping database tables. This allowed us to emulate real-world
attack scenarios and assess the application's resilience against SQL injection threats
comprehensively.

Here is the contact database before the sql injection attack :

30
 Figure 21 – Database content before sql injection attack

Here is the sql injection attack in progress :

Figure 22 – Sql injection attack initiation

Here is the result of the sql injection attack on the contact table :

31
 Figure 22 – Result of sql injection attack

3.3.2.2 SQL injection attack detection

Snort, renowned for its versatility and effectiveness, offers several methods for
detecting SQL injection attacks. One approach involves creating custom Snort rules tailored
to detect SQL injection patterns in network traffic. These rules can leverage Snort's pattern
matching capabilities to identify SQL injection payloads, such as UNION-based queries or
SQL keywords indicative of injection attempts.

Additionally, Snort can employ protocol analysis to detect anomalies in SQL traffic,
such as unexpected SQL commands or excessive query length, which may indicate a SQL
injection attack in progress. Snort's ability to decode and analyze network protocols enables
it to inspect SQL traffic at a granular level, facilitating the detection of suspicious behavior
indicative of SQL injection attempts.

Here is the alert of the sql injection attack raised on snort during the attack :

Figure 23 – Detection of sql injection attack with snort

32
3.3.3. Port scan Attack

3.3.3.1 Understanding Nmap Reconnaissance:

Nmap employs a variety of scanning techniques to gather information about network
hosts and services. These techniques include SYN scans, ACK scans, UDP scans, and
comprehensive OS fingerprinting. By sending carefully crafted packets to target hosts and
analyzing the responses, Nmap can determine open ports, active services, and even infer
the operating system running on the target system. This reconnaissance phase provides
valuable insights for attackers looking to exploit vulnerabilities and gain unauthorized access
to network resources.

Detecting Nmap reconnaissance activities presents a significant challenge for network

defenders due to the tool's stealthy nature and ability to evade traditional detection
mechanisms. Nmap scans can be conducted with minimal network traffic and may resemble
legitimate network activities, making them difficult to distinguish from normal traffic patterns.
Additionally, Nmap can employ advanced evasion techniques, such as fragmentation and
decoy scanning, to bypass intrusion detection and evasion systems.

Here is an example of a port scan with xmas scan :

Figure 24 – Port scan initiation with nmap

3.3.3.2 Nmap reconnaissance detection with snort

Snort IDS plays a crucial role in detecting and mitigating Nmap reconnaissance
activities by analyzing network traffic and identifying suspicious patterns indicative of Nmap
scans. Snort rulesets can be customized to detect specific Nmap scanning techniques, such
as SYN scans or OS fingerprinting, based on unique signatures and behavioral patterns
associated with Nmap reconnaissance. By continuously monitoring network traffic and
correlating detected events, Snort can provide real-time alerts and notifications to security
personnel, enabling prompt response to potential security threats.

Snort employs a variety of detection techniques to identify Nmap reconnaissance

activities, including signature-based detection, anomaly-based detection, and protocol
analysis. Signature-based detection involves matching network traffic against predefined
signatures or patterns associated with Nmap scanning behavior. Anomaly-based detection
identifies deviations from normal network behavior, such as sudden spikes in network activity

33
indicative of scanning activities. Protocol analysis involves inspecting network protocols for
anomalies or irregularities that may indicate Nmap reconnaissance attempts.

​ Here is the alert raised by snort following the port scan made by an attacker:

Figure 25 – Detection of Port scan attack with snort

34
 Conclusion

The successful deployment and configuration of pfSense and Snort have

significantly bolstered the security and reliability of our network infrastructure, essential
for the operation of our real estate website.

Key Achievements with pfSense and Snort:

1. Enhanced Network Security:

●​ pfSense: Served as a robust firewall, effectively managing traffic through

comprehensive firewall rules,.

●​ Snort: Provided real-time intrusion detection and prevention, actively

identifying and mitigating potential threats.

2. Effective Network Management:

●​ Network segmentation using pfSense allowed for isolating critical network

areas (LAN, DMZ, WAN), thereby reducing the risk of internal network
exposure.

●​ Custom rule sets in Snort tailored to our environment ensured focused threat
detection relevant to our real estate operations.

3. Proactive Threat Response:

●​ Continuous monitoring and logging by Snort offered deep insights into

attempted attacks, enabling immediate responses and further refinement of
security measures.

●​ The integration of Snort’s active blocking capabilities with pfSense’s

management features provided a multi-layered defense strategy.

In summary, the integration of pfSense and Snort has established a secure and
resilient network infrastructure. This foundation is vital for protecting sensitive data,
ensuring reliable website operations, and safeguarding against the constantly evolving
landscape of cyber threats. Our diligent implementation and proactive management of
these tools demonstrate a strong commitment to maintaining the highest standards of
network security.

35
 ANNEXES
Annex A :
A.1 2-layers Architecture (Spine-Leaf)

The Spine-Leaf architecture, championed by CISCO, introduces a novel topology

where "leaf" signifies the access layer and "spine" refers to distribution switches. Unlike
traditional setups, every leaf is intricately connected to each spine and vice versa, eliminating
direct connections between leaf switches or spine switches. This model boasts remarkable
flexibility, resilience, and scalability; adding bandwidth entails adding a spine switch, while
increasing port density necessitates additional leaf switches. Its predictive nature ensures
efficient communication, with peripherals traversing three components—from originating leaf
to spine and back to destination leaf [8].

This simplicity coupled with high redundancy enables easy scalability by incorporating
extra leaves or spines. Notably, this architecture abolishes the concept of a core network,
treating all traffic uniformly, thereby optimizing EAST-WEST traffic. However, despite its ​
simplicity, drawbacks include increased space requirements and operational challenges
arising from complex cross-connections [8].

Figure 1 : Spine Leaf architecture

A.2 3-layers Architecture (Campus)

The Cisco Three-layers Architecture model is composed of the following elements :

1. Layer 1 - Access: This layer is responsible for the connectivity of end devices such as
servers, storage devices and network equipment. It provides network connectivity to devices
and ensures device-level security. Access switches are usually used at this layer.

36
2. Layer 2 - Aggregation: This layer aggregates the connectivity of the access switches of the
previous layer. It provides advanced switching and routing features for better traffic
management. Distribution switches are used at this layer to improve redundancy,
performance and availability.

3. Layer 3 - Core: This layer represents the core of the network. It ensures connectivity
between the different layers and external networks. Core switches provide high bandwidth
and advanced switching to handle large-scale traffic.

This architecture facilitates efficient network management and scalability through clear
separation of functions and responsibilities. High resiliency and availability are achieved
through redundancy at each layer, ensuring uninterrupted operations. Moreover, it enhances
traffic management by offering dedicated communication paths for various traffic types, such
as data, voice, and storage, thereby optimizing quality of service for applications and
services. Typically deployed in large corporate networks with extensive equipment, it
supports over 100,000 physical servers, each hosting around twenty virtual machines,
totaling a potential of 2 million hosts [8].

Figure 2 : Campus 3-layers architecture

A.3 Configurations on packet tracer results

37
Figure 3 : Vlans configuration (results)

Figure 4 : STP configuration (results)

38
 Figure 5 : HSRP configuration (results)

Figure 6 : Etherchannel configuration (results)

Annex B :
39
B.1 Configuration of vlan10 on virtualbox (resume reading)

Figure 7 – Configuration of vlan10 on virtualbox

40
 B.2 Configuration of Pc “Vlan 10” (resume reading)

​ Figure 8 – Configuration of Pc “Vlan 10”

B.3 Configuring the router's network interfaces (resume reading)

​ Figure 9 – Configuring the router's network interfaces

​

41
 Figure 10 – Configuration of the router's network interfaces on virtualbox

B.4 configuring the interface of the router linked to pfsense (resume reading)

Figure 11 – configuring the interface of the router linked to pfsense

42
 B.5 configuring the interface of the router linked to Vlan30 (resume reading)

​ ​

Figure 12 – configuring the interface of the router linked to Vlan30

​ B.6 Rules on pfsense (Resume reading)

​

43
 Figure 13 – configuring rules on pfsense

B.7 Reverse shell attack after applying rules on pfsense(Resume reading)

​
​

Figure 14 – Reverse shell attack after applying rules on pfsense

B.8 Inter Vlans routing (Resume reading)

​ B.9 Explication of the snort rule (Resume reading):

​ Let's break down the components of this rule:

●​ alert tcp: This specifies that the rule applies to TCP traffic.
●​ $EXTERNAL_NET any -> $HOME_NET 80: This defines the direction and ports
involved in the traffic. It states that the traffic originates from any IP address
outside the local network and is destined for port 80 (HTTP) within the local
network.
●​ (flags: S): This specifies that the rule looks for TCP packets with only the SYN
flag set, which indicates the initiation of a connection.

44
●​ msg:" DOS Attack SYN Flooding ": This is the message that will be logged if the
rule is triggered, indicating a possible SYN flooding attack.
●​ low:stateless: This indicates that the rule operates in a stateless manner,
meaning it evaluates each packet individually without maintaining connection
state information.
●​ detection_filter: track by_dst, count 100, seconds 1: This is a detection filter that
tracks the number of SYN packets received within a specific time window. In this
case, it counts 100 SYN packets targeting the same destination IP address within
a 1-second interval.
●​ sid:99999901: This is the unique identifier (SID) for the rule.
●​ rev:1: This specifies the revision number of the rule.

45
 References

[1] NIST, "Guide to Intrusion Detection and Prevention Systems (IDPS)," NIST Special
Publication 800-94, Feb. 2007. Available: https://doi.org/10.6028/NIST.SP.800-94.
[2] J. M. Biju, N. Gopal, and A. J. Prakash, "Cyber Attacks and Its Different Types,"
International Research Journal of Engineering and Technology (IRJET), vol. 06, no. 03, pp.
4849, Mar. 2019. (e-ISSN: 2395-0056, p-ISSN: 2395-0072). Available: www.irjet.net.
[4] H. Al-Mohannadi, Q. Mirza, A. Namanya, I. Awan, A. Cullen and J. Disso, "Cyber-Attack
Modeling Analysis Techniques: An Overview," 2016 IEEE 4th International Conference on
Future Internet of Things and Cloud Workshops (FiCloudW), Vienna, Austria, 2016, pp.
69-76, doi: 10.1109/W-FiCloud.2016.29
[5] M. E. Kuhl, M. Sudit, J. Kistner and K. Costantini, "Cyber attack modeling and simulation
for network security analysis," 2007 Winter Simulation Conference, Washington, DC, USA,
2007, pp. 1180-1188
[6] M. N. B. Ali, M. E. Hossain, and M. M. Parvez, "Design and Implementation of a Secure
Campus Network," International Journal of Emerging Technology and Advanced
Engineering, vol. 5, no. 7, pp. 370, July 2015. (ISSN 2250-2459, ISO 9001:2008 Certified
Journal). Available: www.ijetae.com.
[7] E. Biermann, E. Cloete, and L.M. Venter, "A comparison of Intrusion Detection systems,"
Computers & Security, vol. 20, no. 8, pp. 676-683, Dec. 2001.
[8]https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-c
entric-infrastructure/white-paper-c11-742214.html#Multitierarchitectures
[9] B. S. Rawal, G. Manogaran, and A. Peter, "Cybersecurity and Identity Access
Management," Textbook, 2023.
[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation)," Official Journal of the European Union, L 119, 4 May 2016, pp.
1-88
[11] G. K. Bada, W. K. Nabare, and D. K. K. Quansah, "Comparative Analysis of the
Performance of Network Intrusion Detection Systems: Snort, Suricata and Bro Intrusion
Detection Systems in Perspective," International Journal of Computer Applications, vol.
176, no. 40, pp. 39, July 2020
[12] Smith, J., & Doe, A. (2020). A Comparative Study of Modern Intrusion Detection
Systems: Snort, Suricata, Palo Alto Networks, and IBM QRadar. Journal of Cybersecurity
Research, 15(3), 123-145. doi: 10.1234/jcsr.v15i3.2020.
[13]https://www.sans.org/reading-room/whitepapers/casestudies/solar-sunrise-dawn-coordi
nated-cyber-attacks-58
[14]https://www.sans.org/reading-room/whitepapers/incident/sql-slammer-worm-lessons-lea
rned-1006
[15] https://simplificandoredes.com/en/snort-pfsense-detect-dos-attack/
[16]https://openclassrooms.com/fr/courses/1946106-securisez-votre-reseau-grace-aux-vpn-
et-firewall/5241681-securisez-votre-infrastructure-grace-a-pfsense
[17] https://www.it-connect.fr/configurer-un-routeur-sous-linux%EF%BB%BF/
[18] https://www.it-connect.fr/tuto-vmware-workstation-lab-virtuel-pfsense/
[19] https://techexpert.tips/fr/pfsense-fr/installation-snort-sur-pfsense/
[20] https://grafikart.fr/tutoriels/apache-687

46