Today’s subject was firewalls, with an introduction to Snort and writing rules for packet inspection. We took a deep dive into Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), which are essential for detecting and preventing security threats on a network.
One key topic we explored was the difference between false positives and false negatives in IDS/IPS systems:
- A false positive occurs when the system mistakenly flags normal traffic as a security threat. For example, a benign file might be flagged as malware, causing unnecessary alerts.
- A false negative, on the other hand, happens when a real security threat is missed, and malicious traffic is allowed through without detection.
After covering the basics of IDS and IPS, we moved on to explore different types of firewalls, which play a crucial role in protecting networks:
- Stateless firewalls: These firewalls examine each packet in isolation, without considering the context of previous packets. They are faster but less secure, as they don’t track the state of active connections.
- Stateful firewalls: Unlike stateless firewalls, stateful firewalls track the state of connections, ensuring that each packet is part of an established session. This provides better security by allowing the firewall to monitor the entire conversation between two devices.
- Web Application Firewalls (WAF): A WAF specifically protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It can defend against specific attacks like SQL injection and cross-site scripting (XSS).
Then, we jumped into Snort, a popular open-source IDS/IPS tool. The challenge in the Snort room was tough but rewarding. I had to learn how to write Snort rules to find specific information about network packets. For example, one of the tasks was to write rules that would identify file types, such as torrents or GIF images, in network traffic.
The last challenge was the most difficult. I had to find a Base64-encoded string hidden inside a packet. Once located, I decoded it using CyberChef, a fantastic tool for decoding and analyzing data. For example, here’s how you might decode a Base64 string using CyberChef:
- Paste the Base64-encoded string into CyberChef’s input field.
- Use the “From Base64” operation to decode the string.
- You can then view the decoded content (it may be a file, text, or another format).
Challenges like this require resourcefulness and creativity, and I absolutely enjoy the problem-solving aspect of these exercises. It’s amazing how much one can learn and apply by tackling real-world scenarios.
Looking forward to more challenging exercises in the coming lessons!
