The IDS system, overall, is sniffer with pattern matching from rules (usually regex) to “catch” the attack. So if you really want to go deep in this, i’d suggest you:
- Write a simple sniffer in python with scapy. It is not the best to write sniffer if we want performance but it is easy to write.
- Create simple rules to detect attacks. Start with some basic payloads like XSS, SQL injection, command injection, … No need to spend time to research on network attacks like service exploitation
- Create rule parser to map rules from files instead of hard coded text matching.
- Create logs and user interface.
If you want to go with deployment only, then i’d suggestyou
- Try not only snort but suricata, mod security (for apache)
- Find public rules on internet
- Try every settings like IPS mode is on
- Advanced networking skill. Config your VM with multiple machines, create proper network diagram then put IDS / IPS at right place. Ofc use iptables to config routing rules and try simulate an enterprise environment
If you want to go with IPS / firewall management, i’d suggest you try security onion and other pre-installed iso solutions that contains not only snort but pfsense, iptables, … The labs with multiple hosts + custom routing is still recommended.
For the evade detection, it is all about mouse and cat. I’d suggest you simulate the detect function by parse rules, match the input that you provide. With this method, you can create multiple payload and simulate fuzzing to check if any new payload is not detected by current rules. That is a lot easier than you try it manually. The automation saves a lot of time