Project 2: Snort Sentinel — Practical IDS Lab

By




 

Detecting Network Intrusions with Snort in My Home Lab

In this project I set up Snort, an open-source Network Intrusion Detection System (NIDS), inside a virtual lab. The lab consists of an Ubuntu VM running Snort (the IDS), a Kali Linux VM used for attacking and scanning, and a Metasploitable 2 VM as a vulnerable target. The goal was to detect suspicious activity such as ICMP pings and Nmap scans, and to collect screenshots and logs for portfolio evidence.

Lab Topology & Overview

• Ubuntu (Snort IDS) — runs Snort and stores alerts/logs.
• Kali Linux — attacker machine (runs nmap, ping, etc.).
• Metasploitable 2 — vulnerable target for testing.

All VMs are placed on an isolated host-only/internal network (example subnet: 192.168.113.0/24). This keeps the testing environment contained and safe from the internet.

Tools Used

- Ubuntu (Snort)
- Kali Linux
- Metasploitable 2
- Wireshark
- Optional: ELK stack or SecurityOnion for later analysis

Setup & Key Configuration

1. Network configuration:
   - I ensured all VMs can ping one another and are on the same isolated subnet.

2. Snort installation (Ubuntu):
   - Installed Snort . During installation, I set HOME_NET to my lab subnet,


3. Snort rules:
   - Custom rules saved to /etc/snort/rules/local.rules.
   - Example rules used in this lab are included below.

Snort Rules Used

ICMP Ping detection:

alert icmp any any -> $HOME_NET any (msg:"ICMP Ping Detected"; sid:100001; rev:1;)

Nmap SYN scan detection :

alert tcp any any -> $HOME_NET any (msg:"NMAP SYN scan detected"; flags:S; sid:1000001; rev:1;)

Running Snort and Testing

Start Snort in console alert mode on the interface that holds the lab IP :
sudo snort -A console -q -c /etc/snort/snort.conf -i ens33

From Kali, test detection:
• ICMP ping: `ping -c 3 <target-ip>`
• Nmap SYN scan: `sudo nmap -sS <target-ip>`

Observe alerts printed to the Snort console, or check the Snort alert file  /var/log/snort/alert.

check pcap file on wireshark.

Screenshots / Evidence (Placeholders)





local.rules content showing ICMP and NMAP rules



Snort console showing NMAP SYN scan detected alerts



Snort console showing ICMP Ping Detected alert



nmap output on Kali showing the scan command used


Wireshark capture of the scanned packets


Results & Observations

Snort reliably detects simple network probes (ICMP pings, SYN scans) when rules are correctly written and HOME_NET is set.  

Rule syntax is strict - small typos (missing spaces, wrong separators) will break parsing; always test with `sudo snort -c /etc/snort/snort.conf -T`.  

Immediate alerts are noisy- removing thresholds shows activity instantly (useful for demos), but thresholds/detection_filter are necessary for realistic deployments to reduce false positives.  

Isolated lab networks are essential - keep Metasploitable and scanning traffic on a host-only/internal network to avoid accidental exposure.  

 Future work: add thresholding, expand rule coverage, integrate alerts into ELK/SIEM, and tune rules to reduce false positives.

This project demonstrates my ability to configure and use IDS tools like Snort to detect and analyze attacks. It also highlights my understanding of network security fundamentals and packet analysis.

Comments

Post a Comment

Popular posts from this blog

My Cybersecurity Journey: From Getting Hacked to Hacking Back

By
Image
  My Cybersecurity Journey: From Getting Hacked to Hacking Back Everyone starts somewhere and for me, it all began with a really bad website. I was 14 when I built my first web page. It was broken, messy, and full of mistakes but it was mine. And that was enough. Something clicked. I kept building. My second site wasn’t great either, but it was better. Then came the third a simple login page and a working web app. That one made me proud. I felt like I was actually creating something. Then... I stopped. Back then, programming didn’t seem like a future. It felt like a phase fun, but uncertain. So I drifted away. But deep down, that itch to build, break, and understand how things worked never really left. Eventually, I came back. This time, it was different. I dove into full-stack development front-end was familiar, but I embraced the backend too, learning Python, Django, and the logic that makes web apps tick. I was building better, smarter systems. But I didn’t know my biggest...
Read more

Project 1: Building My Personal Cybersecurity HomeLab

By
Image
  Introduction In the fast-paced world of cybersecurity, having a safe and controlled environment for testing tools and techniques is essential. For my first project, I built a fully functional cybersecurity HomeLab using VMware Workstation Pro 17. This HomeLab allowed me to simulate real-world scenarios, practice both red and blue team skills, and prepare for future professional work without risking my main system or any live network. Objectives - Create an isolated virtual network for cybersecurity testing. - Install multiple virtual machines (VMs) to simulate different systems and environments. - Configure networking to allow both internet access and private lab communications. - Lay the foundation for advanced cybersecurity projects such as IDS/IPS deployment, malware analysis, and threat detection. Tools and Resources I used a range of tools and virtual machines to build my HomeLab. This variety ensured I could replicate real-world cybersecurity environments. •...
Read more