This project demonstrates the use of Snort as a network-based IDS to detect multiple types of attacks in a controlled lab environment.
| VM | Role | Details |
|---|---|---|
| Ubuntu | IDS | Snort installed (interface: ens33) |
| Kali | Attacker | Nmap, Hydra, SQLmap, curl |
| Metasploitable | Victim | Vulnerable services: FTP, DVWA, Mutillidae |
┌────────────┐
│ Kali │
│ (Attacker) │
└─────┬──────┘
│
│ Simulated Attacks (Nmap, Hydra, hping3, curl)
▼
┌─────────────────────┐
│ Metasploitable VM │
│ (Vulnerable Target) │
└─────────┬───────────┘
│
▼
Monitored via ens33
│
▼
┌──────────────┐
│ Ubuntu VM │
│ (Snort IDS) │
└──────────────┘
snort-ids-project/ ├── docs/ │ ├── Report.docx │ └── Snort_IDS_Report.pdf │ └── attack_simulations.md │ └── snort_rules.md │ └── snort_setup.md ├── screenshots/ │ └── Snort-IDS-Monitor/ │ └── Snort-Attacker/ ├── README.md
| Attack Type | Tool | Target Service | Rule SID |
|---|---|---|---|
| Port Scan | Nmap | TCP (1–1024) | 1000001 |
| ICMP Flood | hping3 | ICMP | 1000002 |
| FTP Brute Force | Hydra | vsftpd (21) | 1000005 |
| SQL Injection | curl/sqlmap | HTTP (port 80) | 1000004 |
❗ Due to modern OpenSSH restrictions, SSH brute force was replaced with FTP brute force, which is functionally equivalent for Snort rule demonstration.
See docs/snort_setup.md for full installation and config steps.
Snort rules used are in rules/local.rules
See docs/snort_rules.md for rule logic and SID descriptions.
Each attack is documented in docs/attack_simulations.md, including:
- Command used from Kali
- Screenshot of Snort alert from Ubuntu
- Explanation of how the detection worked
Found under screenshots/ folder.
Final project report in docs foler: Word: report.docx, PDF: Snort_IDS_Report.pdf.