Building a Network Intrusion Detection System with Snort

How I deployed Snort 2.x on an Ubuntu VM to detect ICMP ping floods, Nmap SYN scans, and TCP port sweeps in a live lab network — with custom rules and real alert output.

RAMESH

0 followers

April 9, 20263 min read

Lab environment

The lab runs on a private 192.168.111.0/24 network with three virtual machines, each playing a distinct role — attacker, victim, and the NIDS sensor.

Kali Linux (Attacker) : 192.168.111.134
Metasploitable-3 (Victim Machine) : 192.168.111.135
Ubuntu (NIDS Sensor) : 192.168.111.129

Snort runs on the Ubuntu VM and listens passively on the ens33 interface, monitoring traffic flowing between the attacker and victim.

Installing Snort

On the Ubuntu NIDS machine, I first updated the system, then enabled promiscuous mode on the network interface so Snort could capture all packets — not just those addressed to the VM itself.

$ sudo apt update -y && sudo apt upgrade -y
$ sudo apt install net-tools snort -y
$ sudo ip link set ens33 promisc on

After installation, Snort 2.9.20 (Build 82) was confirmed running. I then edited /etc/snort/snort.conf to set the home network variable and include the custom rules file:

ipvar HOME_NET 192.168.111.0/24
ipvar EXTERNAL_NET any

# Inside the rules section:
include $RULE_PATH/local.rules
include $RULE_PATH/scan.rules

Writing custom detection rules

Rather than relying on community rulesets alone, I wrote four targeted rules in /etc/snort/rules/local.rules to catch specific recon behaviors:

ICMP Ping Flood Detection

alert icmp any any -> $HOME_NET any (itype:8; detection_filter:track by_src, count 20, seconds 5; threshold:type limit, track by_src, count 1, seconds 5; msg:"[Lab] ICMP Ping Flood Detected"; sid:1000001; rev:1;)

SSH Connection Attempt (TCP SYN)

alert tcp any any -> $HOME_NET 22 (flags:S; msg:"[Lab] SSH Connection Attempt"; sid:1000002; rev:1;)

Nmap SYN Scan (Stateless)

alert tcp any any -> $HOME_NET any (flags:S; flow:stateless; detection_filter:track by_src, count 20, seconds 10; msg:"[Lab] Possible TCP SYN Scan"; sid:1000003; rev:1;)

Aggressive Port Scan (Multi-Port)

alert tcp any any -> $HOME_NET any (flags:S; flow:stateless; detection_filter:track by_src, count 50, seconds 5; msg:"[Lab] Possible Port Scan Activity"; sid:1000004; rev:1;)

Validating the configuration

Before going live I ran Snort in test mode to catch any config errors:

$ sudo snort -T -c /etc/snort/snort.conf -i ens33

Snort successfully validated the configuration! — confirmed, all 49,036 detection rules loaded cleanly.

Attack simulation & results

With Snort running in console alert mode on the Ubuntu VM, I launched attacks from Kali:

# Nmap full TCP connect scan against Metasploitable-3
$ nmap -sS -F 192.168.111.135

# SSH-specific scan to port 22
$ nmap -sT -p 22 192.168.111.135

# ICMP ping flood with hping3
$ hping3 --icmp --flood 192.168.111.135