Rᴇᴀᴅᴍᴇ​​​​​ ( ͡👁️ ͜ʖ ͡👁️)

Iɴᴛʀᴜsɪᴏɴ Dᴇᴛᴇᴄᴛɪᴏɴ Sʏsᴛᴇᴍ - Hᴏᴍᴇ Lᴀʙ 🧑‍💻

Tool:

🐽 𝚂nort as an Intrusion Detection System 🕵️

Machines:

Attacker: Kali ☠️ | Victim: Metasploitable 2 👦 | IDS: Linux Mint 🍀

Attack and Detection Scenario:

▶️ Lab Demo ⬇️

Screenshots

Snort Installation

Editing ipvar $HOME_NET

Custom Rules:

VIM config and Snort config

Configuring line number in VIM

$ vim /root/.vimrc

Line 1. set number ; Line 2. syntax on

Snort's main config file location

$ sudo vim /etc/snort/snort.conf

Snort's Custom rules location

$ sudo vim /etc/snort/rules/rules.local

Custom ICMP Ping Detection Rule

alert ICMP any any -> $HOME_NET any (msg:"ICMP Ping Detected"; sid:100001; rev:1;)

Start the Snort Detection

snort  -q -l /var/log/snort -i ens34 -A console -c /etc/snort/snort.conf

-q for Quite-Mode (ids/ips) run ; -l for logging traffic ; -i for Interface ; -A for Alert-mode ; -c defines location of config file