 Let's talk about intrusion detection systems. So the purpose of this demonstration is to show how IDS works and also how IDS fails. There's gonna be some shortcomings with it. Most of the shortcomings have to do with encryption, but I want to kind of break down the details and show the why and the details behind it. A lot of people think IDS is kind of a great incredible thing that should have saved them. And I said should have because I've been looking at different breaches that occurred. I've talked to people have gone through breaches and it cut through the IDS system like butter. It's just no problem going right by it. And I'm gonna kind of show some of the reasons why. And a lot of this has to do with the fact that the threat model has changed over the years. And before we go any further, if you could do me a favor and click the links below, check out some of our affiliate links, check out some of the sponsors of the channel and find some great deals there. It really does help us out and click the like button while you're looking because that helps out YouTube and just helps discoverability of our videos. All right. Now digging into the encryption. The encryption part is interesting. So the internet has become dramatically more encrypted thanks to efforts by people like the Let's Encrypt Foundation. They've done a great job of bringing encryption to the masses when it comes to web traffic. And there is no doubt at all that bad actors are using this as well. Not to mention because IDS systems got good at finding these bad actors and including like Snort, Seracada and all the feeds and everything that goes into the open source intelligence community and even the paid subscription feeds that go beyond that. But they're all pattern based at the edge. Ideally, intrusion systems run at the edge of your network in this particular instance. It's running inside of this particular PF Sense firewall and we have it set up on our Ponage Network. That is a lab network that we have set up. We have it set for maximum detection and alerts because what we want to do is get some alerts in here. And here we are currently with no alerts. So we're starting out on a clean slate. We're going to create some alerts and show you what the IDS system can see and what it can't see and why it's still not a bad thing to have one, but it's become much, much less effective against modern attack methods. So we're also going to show you the rules and what Seracada is actually looking for in how these patterns match. So this is a file identity rules just downloaded from the latest download of the rule sets from Snort. You can see what it's looking for here. We're looking for these type of matches. We're looking for a file identity that matches this and ideally that would flag the system going, hey, if this comes through, we find these bits in the traffic as it's reading the flow. It digs into it and go, okay, matches this, drop it, stop it, make it not go through. And this was great. This is, you know, I've been working in tech for over 24 years and in the early days, this is how we identified things. We could wire shark it. We could grab a packet capture file. We could dig right into the traffic because, well, nothing was encrypted. 2019, dramatically different. Everything's encrypted now. Not everything, but many, many things. So any bad actors not using encryption are one probably amateur and don't get me wrong. This is still great at stopping the amateurs. It is great at stopping a lot of this old stuff because just because it used to be effective doesn't mean someone's still not trying to use it even though it's less effective because there's somebody out there that will still be trying to load some old piece of mailware. So that's still relevant in some aspects of it, but this is why you can't just rely on an intrusion detection system. So we can see all this different pattern matching. And there's like, this file is pretty big. There's a lot of things in there. But one of the things I want to point out right away is, there's so much of this is all reliant on HTTP traffic. So not HTTPS. That's where the hangup comes in. So we're going over here and we're going to create a file. So we have the home slash Lawrence systems, and then I made a file called, are you seeing this dot text? It contains the text. Hello, Lawrence systems. YouTube watchers with a dude flipping a table. Really simple. And we're going to show how this can be seen with Saracada and then how to make it invisible to Saracada. And, you know, I didn't want to put any bad files up on my server or anything like that to go will in depth with the demo. But for the purposes of this, this will get the job done to show you how the system works. Now over here, we have parrot running. And this is running in with X to go. So it's going to be able to get to it here. And this is on the ponage network. We can keep it all nice and separate. And we're just going to use curl, which is basically a command line to pull HTTP data down. So our HTTP www.laurancesystem.com, are you seeing this? Hello Lawrence system. YouTube watchers table flip. And now we're going to go over here. And we see it flagged. One of the flagged ET policy curl user agent outbound. And what it's saying is something on your network to use curl. That seems suspicious because if you weren't expecting that, maybe all of your users is normal web browsers. They shouldn't do that. So how do we make curl look like a normal web browser? Well, that's not much of a secret. And it's pretty much something that all of the bad actors are going to know. So we're going to go ahead and copy and paste this here. We're doing the same thing again this time. But we add a dash a and what a does is say use user agent. And we're going to say we're a Mozilla 5.0 user agent. Rev 59, Firefox 59. So no problem. Actually, we'll go ahead and clear this too. So clear so we don't have any messages in here. Go back. Same result, but we passed the user agent as Mozilla. Which means it doesn't even know it's curl traffic. So what about if we did this? Let's go back and say we curled it like this, which we know flags it, but we add an S here. Still no curl agent. Once you go HTTPS, it can't even identify that curl was on there. And because so many sites are using it, this blinds, things like Sericata, IDS systems. Unless each, and I mean each and every client, which may not be possible with certain IoT devices, also has a certificate set up that is also loaded into your firewall that allows the deeper inspection of the SSL traffic. So you can see right away how this can get really tricky. Let's dig in a little deeper and show how this works. So right here is our SSL Labs test report for LawrenceSystems.com. We are using all the way to TLS 1.3 as it says right here, which means it's essentially like a two layer of encryption. So even if we were to have a cert, this still wouldn't work because we're double encrypting it. But let's dig into actually what the packet transfer looks like. And the way we're going to do that is right here. PFSN supports full packet capture. So here's our ponage network. Here is the IP address of my website. You can see right here it matches. So LawrenceSystems.com, 6862216.9. And we want to filter for any traffic going there. So we're going to hit start. We're going to go here. And we'll do the curl with just HTTP. All right. And the file has been pulled. We'll stop the capture. Download the capture and open up Wireshark. Hey, right there. Are you seeing this? Text plane. All right. So we can see each little piece of this. We can see the hello right down here. Hello LawrenceSystems YouTube Watchers. And this because it doesn't decode some of the Unicode characters in this setup right now. But you can see hello LawrenceSystems YouTube Watchers. We can see the whole, every piece of it, each way. So here's the, are you seeing it? I think, yeah, user agent curl right there. That's how it's able to see that. So this is, you know, the full flow. We were able to look at these. And this is the type of pattern matching that's going on inside of Sericata or any other IDS system to go. These are the patterns we're looking for. Can we get this? All right. We see everything going on and we can pick out traffic that matches known bad traffic and say stop that from coming through. All right. Let's do this same thing again. So we go over here. Start the packet capture again. This time, we're just going to add the S. HTTPSlaunchSystems.com, are you seeing this? Pulse the file again. Go over here. Stop. Download. All right. Here we go. Well, this is not good. We can't see anything so far. Oh, we figured out they are going to launch systems.com so we know the domain. And that's pretty much where the data feed ends as far as what we can see. Right here. Server, cipher, spec. This is where we start doing the TLS 1.3. There is a TLS 1.3. Hello, cipher. The act that goes back and forth. Application data. And we're blind. This is the challenge that all of these tools face. All this data now is encrypted so we can go through and poke through it but without the keys. And by the way, if you dig into the TLS 1.3, it goes further and adds a second key exchange inside there. So first you have the outer key exchange as I would describe it and then the inner key exchange to keep it even more encrypted. But we don't even know the user agent that was used. Like we just went blind. This is why Siracada is an even flying curl user agent usage because that all goes away when you start encrypting everything. And this is the challenge faced with any type of intrusion detection system and this is one of the reasons that you really need defense in depth. You can only rely so much on the edge to protect you. You can have known lists as long as you always know those lists of bad actors' websites and say we're going to block these IP addresses. But that becomes very challenging when they host in common places like Amazon services or they take over. And this is one of the reasons that the common attack vector is this model. They take over an existing server or they modify a WordPress site, for example, and then create a subdomain under it. So a known trusted site now becomes known and trusted and easy because no one knows that site's infected. It looks like normal traffic because the only thing they can go to is, hey, everyone goes to this popular website. This is, you know, the challenge faced with a lot of modern security. This is why protecting the endpoints is just as important and maybe even more important when it comes to modern attacks that you can't just make assumptions that you can block it all at the edge. The edge is very blind anymore because of all this encryption. So even, you know, you're trying to do pattern recognition, everyone's trying to come up a magic sauce to work on the edge because, hey, it'd be great if I could put one box at the edge of my network to protect all boxes behind it. But that's old thinking. It just doesn't work that way anymore. And this is really why. And I want to do this video to explain that. But the other thing you can do, now this is where Serkada still has some importance, is if you have a server behind that you have ports open to. This is a scenario where you're trying to protect all the end users who generally access things through the browser, reaching out and it has a limited amount of visibility due to this TLS 1.3. The other side is if you have a mail server that you host internally. For example, with the latest round of XM exploits, if you had an XM mail server that you had hosted internally, well, here you go. You can have Serkada protecting and looking for patterns of people sending those attacks. So this is where intrusion detection systems can be very good. But that's if you're running an internal mail server. But this is also a reason you may put this if you host a mail server in a cloud. You may put something like Serkada or some type of IDS system that has rule matching in front of it. That way it can look for patterns because as much as we'd like to patch things, the instantaneous time that a bug comes out, sometimes that doesn't happen and this can help give you buy you a little bit of time to protect those servers towards the mail server port and go, hey, let's see this and let's stop it coming in and that's what some of these rules search when I went and just looked for some XM rules that are within there. So hopefully this video helps you gain a little bit better understanding of when it works, when it doesn't, what it can see, what it can't see depending on whether or not that traffic's encrypted and everything's about defense in depth and putting as many layers as possible to mitigate risk. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general, even suggestions for new videos on our forums, which are free. Also, if you'd like to help the channel out in other ways, head over to our affiliate page. We have a lot of great tech offers for you and once again, thanks for watching and see you next time.