Tools: Building a Network Intrusion Detection System (NIDS) with Snort on Linux: A Complete Hands-on Guide
This project focuses on the design and implementation of a Network Intrusion Detection System (NIDS) using Snort and Wireshark on Ubuntu Linux. The main goal of this project was to monitor network traffic, identify suspicious activities, and generate alerts based on custom-defined detection rules. Through this implementation, I gained hands-on experience in network traffic analysis, intrusion detection, Snort rule writing, and basic incident response mechanisms. To install and configure Snort IDS on Ubuntu LinuxTo monitor live network traffic for malicious activityTo create and test custom Snort rulesTo detect common network attacks in a lab environmentTo analyze suspicious packets using WiresharkTo perform basic incident response actions after attack detection Component SpecificationOperating System Ubuntu 22.04 LTSRAM 4 GBCPU 2 CoresStorage 20 GB Free SpaceIDS Tool SnortPacket Analyzer Wireshark Attacker Machine (Kali Linux / Test System) | | (ICMP / TCP / HTTP / SSH Attack Traffic) vTarget Ubuntu Monitoring System ├── Snort IDS ├── Custom Detection Rules ├── Wireshark Packet Analysis ├── iptables Firewall └── fail2ban (SSH Protection) This setup allowed me to generate controlled attack traffic and verify whether the intrusion detection system was able to identify suspicious behavior successfully. Snort – for real-time intrusion detectionWireshark – for packet capture and traffic analysisUbuntu Linux – as the deployment environmentiptables – for firewall-based blockingfail2ban – for brute-force mitigationNmap – for port scan simulationHydra – for SSH brute-force simulationping / flood traffic – for ICMP flood testingsqlmap – for SQL injection testing Installation and Configuration:6.1 System Update:The system was first updated to ensure all packages were current. cmd: sudo apt update && sudo apt upgrade -y` 6.2 Install Required Dependencies: The necessary libraries and development tools required for Snort were installed using the following command: cmd: sudo apt install -y build-essential libpcap-dev libpcre3-dev \ cmd: libdumbnet-dev bison flex libnghttp2-dev zlib1g-dev \ cmd: libssl-dev libnetfilter-queue-dev libdnet-dev 6.3 Install Snort: cmd: Snort was installed and verified using: cmd: sudo apt install snort -y cmd: snort -V 6.4 Install Wireshark: Wireshark was installed for network traffic capture and packet inspection. cmd: sudo apt install wireshark -y cmd: sudo dpkg-reconfigure wireshark-common cmd: sudo usermod -a -G wireshark $USER Wireshark was used throughout the project to visually inspect suspicious packets and confirm Snort alerts. Snort Rule Configuration:7.1 Understanding Snort Rule Structure: Each Snort rule consists of two main parts: Rule Header → Defines traffic conditions Rule Options → Defines alert message, classification, SID, thresholds, and payload matching General Snort rule format: 7.2 Creating a Custom Rule File: A custom rule file was created to store locally written detection rules. 8.1 ICMP Flood Detection (DoS Attack): This rule detects excessive ICMP echo requests from the same source within a short time window. 8.2 Nmap SYN Port Scan Detection: This rule detects rapid SYN packets sent to the monitored host, which may indicate an Nmap SYN scan. 8.3 SSH Brute Force Detection: This rule monitors repeated connection attempts targeting the SSH service. 8.4 SQL Injection Detection: This rule attempts to identify common SQL injection patterns in HTTP requests. 8.5 Cross-Site Scripting (XSS) Detection: This rule detects possible XSS payloads in HTTP requests. Including Custom Rules in Snort Configuration:The local rule file was included in the Snort configuration file: cmd: sudo nano /etc/snort/snort.conf The following line was added: This allowed Snort to load the custom detection rules during execution. Running Snort in IDS Mode:Snort was executed in IDS mode to inspect live traffic and generate alerts in real time. cmd: sudo snort -A console -q -c /etc/snort/snort.conf -i eth0 Explanation: -A console → Displays alerts in terminal -q → Quiet mode -c → Specifies configuration file -i eth0 → Selects the network interface Attack Simulation and Testing:To verify the effectiveness of the intrusion detection system, several attack simulations were performed in a controlled environment. 11.1 Port Scan Detection Test: A SYN scan was launched using Nmap: 11.2 ICMP Flood Test: An ICMP flood was generated using: 11.3 SSH Brute Force Test: A brute-force attempt was simulated using Hydra: 11.4 SQL Injection Test: SQL injection traffic was simulated using: Packet Analysis with Wireshark:Wireshark was used to inspect and validate the traffic that triggered Snort alerts. Traffic Analysis Activities PerformedObserved SYN packets during Nmap scanningMonitored repeated ICMP echo requests during flood testingAnalyzed SSH traffic patterns during brute-force attemptsInspected suspicious HTTP requests containing SQLi/XSS payloads Using Wireshark alongside Snort improved visibility into the exact packet behavior and helped confirm whether alerts were legitimate or false positives. Attack Type Command Used Detection StatusICMP Flood ping -f target DetectedPort Scan nmap -sS target DetectedSSH Brute Force hydra -l root -P pass.txt ssh://target DetectedSQL Injection sqlmap -u "http://target/page?id=1" Detected The results demonstrate that Snort, when configured with custom rules, can effectively detect suspicious traffic patterns in a controlled lab setup. Incident Response Actions Taken:After attack detection, basic incident response measures were applied to reduce further malicious activity. 14.1 Blocking Malicious IP Addresses: The attacking IP was blocked using iptables: 14.2 Rate Limiting ICMP Requests: To mitigate ICMP flood attacks, rate limiting was applied: 14.3 Enabling SSH Protection with fail2ban: fail2ban was installed and enabled to reduce SSH brute-force attempts. 14.4 Viewing Firewall Rules: Firewall rules were verified using: Challenges Faced:During the implementation of this project, several practical challenges were encountered: Configuring Snort correctly on Ubuntu required careful attention to rule paths and interface settingsSome initial rules generated noisy alerts and required threshold tuningApplication-layer attacks such as SQL injection and XSS were more difficult to detect reliably than network-layer attacksTesting needed to be performed in a controlled environment to avoid accidental impact on normal traffic These challenges helped improve my understanding of real-world intrusion detection limitations and the importance of tuning. The IDS was tested only in a small lab environmentDetection logic for web attacks was basic and signature-basedSome attacks may evade detection through encoding or obfuscationThe system currently focuses mainly on detection, not full automated preventionPerformance under high enterprise-level traffic was not evaluated These limitations highlight areas for future improvement. Integrate ELK Stack for centralized logging and visualizationAdd Zeek for deeper protocol and behavioral analysisAutomate response actions using Python scriptsConfigure email or Slack alerts for real-time notificationsImprove rule quality using more advanced Snort signaturesStore and correlate alerts for better incident investigation Skills GainedHands-on experience with Snort IDSNetwork traffic analysis using WiresharkWriting and tuning custom detection rulesUnderstanding attack patterns such as:Port scanningICMP flood attacksSSH brute-force attemptsBasic web attack payloadsPerforming basic incident response
Applying layered defense concepts using IDS + firewall + fail2ban By configuring Snort, writing custom detection rules, simulating attack scenarios, analyzing traffic, and applying response measures, this project provided practical exposure to real-world network defense techniques. It also emphasized the importance of traffic visibility, rule tuning, and defense-in-depth in cybersecurity operations. Overall, this project significantly improved my understanding of network monitoring, threat detection, and incident response, and it served as a valuable hands-on learning experience in cybersecurity. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse
