Note: This is the first post of a two parts series on how to use IDS in a different way.
Intrusion Detection Systems such as Snort and Suricata
are traditionally seen as Defensive tools, and in essence they are. They can alert on security issues occurring on your network such as Botnet Activities, network based attacks, hosts/servers activities and vulnerabilities.
That last point is important.
It is important because that same information used for defence activities, could be used by an attacker as part of an attack reconnaissance. For example, being able to identify a list of hosts that use outdated SSH/SSL servers, a vulnerable Flash Client or other vulnerable software/services; HTTP logs highlighting users web activities, clear text passwords, etc.
When looking at an IDS that way, it becomes a passive vulnerability scanner and network sniffer analyser. As such, it can be a great additional tool as part of a Penetration Testing or Red Teaming exercise.
Of course the quality of the report you get depends of the data you feeds your offensive IDS, and you might not be able to set-up a network TAP capturing several computers traffic.
However, during such attack exercise you usually get a standard client build (i.e.: laptop). Connecting a Network TAP on such client and using it as a normal user to generate normal traffic/behaviours can provide the attacker relevant information, through the eyes of an IDS to mount further attacks.
A Standalone IDS can therefore become a great companion to any attackers tool kit.
To achieve this easily, one can setup a VM with SELKS or Security Onion and invest in an inexpensive Network Router such as the Netgear GS-105E
The next post will look at how to use IDS as a forensic tool, which can also apply to an offensive exercise.