This project sets up a simple Intrusion Detection System (IDS) using Snort on an Ubuntu machine to detect ping and SSH traffic from a Kali attacker machine.
| System | Role | Interface | IP Address |
|---|---|---|---|
| Ubuntu | Snort IDS | enp0s8 | 192.168.92.11 |
| Kali Linux | Attacker/Test Machine | same LAN | 192.168.92.X |
sudo apt update && sudo apt upgrade -y
sudo apt install snort -yDuring install:
- Network Interface:
enp0s8 - HOME_NET:
192.168.92.0/24
sudo nano /etc/snort/snort.confSet HOME_NET:
var HOME_NET 192.168.92.0/24
Ensure this line is enabled:
include $RULE_PATH/local.rules
sudo nano /etc/snort/rules/local.rulesPaste the following:
# Detect ping
alert icmp any any -> any any (msg:"[Snort] ICMP Ping Detected"; sid:1000001; rev:1;)
# Detect SSH
alert tcp any any -> any 22 (msg:"[Snort] SSH Connection Attempt"; sid:1000002; rev:1;)
sudo snort -A console -q -c /etc/snort/snort.conf -i enp0s8ping 192.168.92.11
ssh 192.168.92.11[**] [1:1000001:1] [Snort] ICMP Ping Detected [**]
[**] [1:1000002:1] [Snort] SSH Connection Attempt [**]
- Detect Nmap scans
- Log alerts to files
- Turn Snort into IPS mode using iptables