Scribd
Upload
14 views3 pages

Snort Report

This document outlines the installation and configuration process for Snort as an Intrusion Detection System (IDS) to monitor network traffic. Key steps include system updates, Snort installation, configuration file modifications, and the implementation of a custom detection rule for TCP connections on port 4444. The setup was successfully tested, confirming that Snort effectively detects and logs specified network activities.

Uploaded by

Saba Hussien
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
14 views3 pages

Snort Report

This document outlines the installation and configuration process for Snort as an Intrusion Detection System (IDS) to monitor network traffic. Key steps include system updates, Snort installation, configuration file modifications, and the implementation of a custom detection rule for TCP connections on port 4444. The setup was successfully tested, confirming that Snort effectively detects and logs specified network activities.

Uploaded by

Saba Hussien
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
You are on page 1/ 3

Snort IDS Configuration

Saba’a Hussien

Objective
This document serves as an internal report detailing the setup and configuration of Snort as an Intrusion
Detection System (IDS) for monitoring network traffic.

Installation and Setup


1. System Update
Before proceeding with the installation, the package list was updated using: “sudo apt-get update”

“pic(1): execute package list update command.”

2. Snort Installation
Snort was installed using the following command: “sudo apt-get install snort”

“pic(2): install snort.”

3. Configuration File Modification


The snort.conf file was edited to define the home network using this command: “sudo gedit
snort.conf”
The following line was modified to: “ipvar HOME_NET 192.168.88.0/24”
“pic(3):modified snort.conf file.”

4. Custom Rule Implementation


A detection rule was added to the local.rules file using this command: “sudo gedit
/etc/snort/rules/local.rules”
This rule will alert whenever a TCP connection is made to port 4444 on any destination IP. Port 4444 is
often used by malware or remote shell exploits, such as Metasploit’s reverse shells, making this a
useful rule for detecting potential backdoor or unauthorized access attempts.
alert tcp any any -> any 4444 (msg:"Connection to remote IP on port 4444";
sid:1000002; rev:1;)

“pic(4): add rule to local.rule file.”

5. Running Snort in IDS Mode


Snort was executed in IDS mode with the specified configuration: “sudo snort -A console -l
/var/log/snort -i enp0s3 -c /etc/snort/snort.conf -q”

Testing and Results


A network traffic test was conducted using hping3 from a Kali Linux machine: “sudo hping3 -c 1 -p
4444 192.168.88.10”
“pic(5): try connection to port 4444.”

Observed Outcome: Snort successfully detected and logged the connection attempt to port 4444. The
detection output was verified both in the console and the log files.

“pic(6): show the alert from rule in terminal”

Conclusion
The IDS configuration is operational and effectively detects specified network activities.

You might also like