Use idsreplay Appliance to easily demo NSX IDS/IPS

By | 24. August 2021

Often customers want to see the ease of use of VMware NSX distributed IDS/IPS. But to demonstrate its capabilities it might be necessary to setup tools like metaspoit and vulnerable software versions. With idsreplay I’ve created an easy way to run you IDS/IPS Demo “out-of-the-box” without the need to setup & configure potentially dangerous software in a customer environment.

idsreplay comes in a pre-packaged virtual appliance / vapp format but is also available as container image, pre-compiled binary and source code. All available here

How it works

idsreplay takes network traffic patterns from IDS signature files (suricata 4 format) and “replays” them to a target system. Every IDS/IPS also leveraging these signatures should then generate alerts. This post focuses on NSX-T distributed IDS/IPS but I’ve also successfully demoed NSX Advanced Load Balancer WAF (a.k.a AVI Networks). Let me know if you successfully tried other IDS/IPS implementations.

How to run

1. Prepare NSX

You should have a NSX environment up & running. Its not necessary to have overlay networking enabled.

Create NSX Segment “ids_demo” in overlay or vlan transport zone. No Gateway connection / Subnets needed.

add NSX segment

Prepare a security group “sg_ids_demo” and add the segment “ids_demo” as member.

create Security Group
define Security Group Membership

Enable NSX IDS/IPS for your compute cluster and update signatures.

enable NSX IDS/IPS

Create a new IDS Profile “ids_profile_ids_demo” and leave all default settings

add IDS Profile

Create a new IDS/IPS Policy “pol_ids_demo” and add a rule “idsdemo” with source and destination “sg_ids_demo” and profile “ids_profile_ids_demo”. Set mode to “Detect Only” and don’t forget to publish the changes.

add IDS Policy / Rule

2. Deploy idsreplay vApp

Download the latest vApp Appliance

Deploy idsreplay vApp ovf template on the NSX IDS enabled Compute Cluster. As VM Network select Segment “ids_demo”. Leave all default settings on “Customize Template”. Hint: vCenter DRS should be enabled to deploy a vApp

After successful deployment you can Power On the IDSreplay Appliance vApp. It contains two VMs wich will be started and configured automatically.

power on idsreplay vApp

3. Check NSX IDS/IPS Events

After some minutes NSX IDS/IPS should show intrusion attempts on the Events Screen. You can now browse and investigate them.

NSX IDS Events Dashboard

4. (optional) Demo intrusion prevention Mode (IPS)

idsreplay uses golang http libraries to run the replay. Most of the requests use the HTTP User Agent “Go HTTP Client User Agent” which also causes an IDS event. To demonstrate intrusion prevention mode you can block these requests.

Find “ET USER_AGENTS Go HTTP Client User-Agent” in the events list and note its Signature ID [2024897]

select “ET USER_AGENTS Go HTTP Client User Agent” event

Edit “ids_profile_ids_demo”, click on “Manage signatures for this profile” and search for signature ID 2024897. Now set the signature Action to “Drop”, and Apply the changes.

modify IDS profile
set signature action to Drop

Go to the “idsremo” IDS Rule and change Mode to “Detect & Prevent”. Don’t forget to publish the changes.

modify IDS/IPS Rule Mode to “Detect & Prevent”

After 2-3 Minutes you should Refresh the IDS/IPS Events screen and re-check the “ET USER_AGENTS Go HTTP Client User-Agent” for prevented Events.

IDS dashboard showing prevented events

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.