Snort has been around for a while, and for good reason. It’s one of the most widely used open-source intrusion detection systems (IDS) out there. Built by Martin Roesch in 1998, it can sniff packets, detect anomalies, and trigger alerts based on predefined or custom rules. Think of it like a digital watchdog for your network.
For someone like me, who’s diving deeper into defensive security after spending time on CTFs and offensive tooling, Snort feels like a natural next step as it helps you think in terms of real-world detection rather than just attack.
So why SNORT and what’s the Point of This Project?
I didn’t just want to install Snort and forget it. The idea is to understand how Snort detects threats by building everything from scratch, right from network setup to writing custom rules.
Here’s what I’m aiming for in this project:
- Simulate both normal and malicious traffic using two systems.
- Write custom Snort rules to detect specific patterns and behaviors.
- Learn how to analyze alerts, fine-tune rules, and reduce false positives.
- Get comfortable with using Snort in real-time as a part of a defense stack.
This isn’t a copy-paste tutorial rather it’s more of a learn-by-doing journey, and I’m documenting each step along the way.
This is what we are up to today….
| Step | Task | Time Estimate |
|---|---|---|
| 1 | Launch Kali WSL as attacker | 1–2 min |
| 2 | Launch Ubuntu WSL (or VM) as Snort IDS | 1–2 min |
| 3 | Install Snort (if not already done) on Ubuntu | 10–15 min |
| 4 | Configure Snort for basic logging | 5–10 min |
| 5 | Set up internal/host-only network or enable communication between Kali and Ubuntu WSLs | 10–15 min |
| 6 | Quick test with ping or curl to ensure connectivity | 2–3 min |
Lab Setup
I’m using WSL (Windows Subsystem for Linux) for this setup, which makes switching between Kali and Ubuntu pretty seamless.
Here’s how I structured it:
- Ubuntu (WSL) : Acts as the IDS system, running Snort
- Kali Linux (WSL) : Used to simulate attacker behavior
Both machines are set up to communicate over a host-only/internal network, and the Ubuntu system (Snort) is configured to listen on its virtual interface.
Now in order to test connectivity between the two said systems :
ping <Ubuntu-IP>Snort Installation on Ubuntu
- Update the system :
sudo apt update && sudo apt upgrade -y - Install Dependencies :
sudo apt install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev libnghttp2-dev libdnet autoconf libtool - Install Snort : sudo apt-get install snort -y
- Verify Installation : snort -V
- Configuring Snort : sudo vim /etc/snort/snort.conf
- Setting Network Connectivity : ipvar HOME_NET <your IP>
- Configure Output Files : Add under “Configure output plugins” section
output alert_csv: /var/log/snort/alert.csv default
output log_tcpdump: /var/log/snort/tcpdump.log - Test the Configuration File : sudo snort -T -i eth0 -c /etc/snort/snort.conf
Network Connectivity
To ensure connectivity:
- I checked my IP address on Ubuntu (
ip a) →172.24.18.199 - From Kali, I ran :
ping 172.24.18.199Result: 5/5 packets received!
We’ve got a working link.
Onto the next part
Now that Snort is up and running, tomorrow I’ll begin:
- Writing my first detection rules (ICMP, HTTP, FTP)
- Simulating scans with Nmap
- Trying brute-force attacks with Hydra
- Capturing alerts and tuning detection logic
I’ll keep documenting each step and share learnings as I go.
Final Thoughts (for now)
This might look like a lot of setup work, but honestly, this hands-on learning is worth every minute. You don’t really understand how intrusion detection works until you configure one yourself, simulate attacks, and try to detect them.
Stay tuned — I’ll be back tomorrow with custom rules, detection logs, and some real traffic analysis.
Feel free to follow along or reach out if you want to try building this lab too!
If you’re as passionate about Cyber-Security as I am, feel free to follow me on Twitter – @shrisec for the latest updates and connect with me on LinkedIn – Aditya Narayan to stay in the loop with my posts and insights in the upcoming projects and CTF writeups.
Let’s continue this fascinating journey together!
Excellent project…
Keep updating…..