-
Attacker: Kali Linux (nmap).
-
Target: Ubuntu (Snort as IDS).
-
Or run the Target and let it perform attacks on itself normally.
-
Monitoring and verification: Wireshark/tcpdump for PCAP capture and analysis.
First, Iβll install some tools like Wireshark to monitor traffic, etc :
- On the Target machine :
sudo apt update
sudo apt upgrade -y
sudo apt install wireshark
Secondly : Installing and configuring Snort as an IDS :
sudo -i
sudo apt install -y snort
- During installation, I encountered this prompt:
Package configuration
βββββββββββββ€ Configuring snort ββββββββββββββ
β β
β Please use the CIDR form - for example,
β 192.168.1.0/24 for a block of 256
β addresses or 192.168.1.42/32 for just
β one. Multiple values should be
β comma-separated (without spaces).
β
β You can leave this value empty and
β configure HOME_NET in
β /etc/snort/snort.conf instead. This is
β useful if you are using Snort in a system
β which frequently changes network and does
β
β <Ok>
- This line asks you to define the HOME_NET in CIDR format :
Package configuration
βββββββββββ€ Configuring snort βββββββββββ
β Address range for the local network: β
β β
β 192.168.0.0/16_______________________ β
β β
β <Ok>
- Before continuing, I checked the machineβs IP:
aas@aas:~$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::6a6a:bfa1:f934:1ee0 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:f5:0f:ed txqueuelen 1000 (Ethernet)
RX packets 210978 bytes 303130933 (303.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31543 bytes 1966166 (1.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 316 bytes 27977 (27.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 316 bytes 27977 (27.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- The network interface connected to the network is:
enp0s3
- The Targetβs IP address is :
10.0.2.15
- The subnet is :
10.0.2.0/24
because the Netmask = 255.255.255.0.
Since my Targetβs actual network is 10.0.2.0/24, I corrected the default value (192.168.0.0/16) to:
10.0.2.0/24
-
Or leave it empty and modify later in
/etc/snort/snort.conf. -
After entering it, press Ok to confirm.
#### Problem encountered during installation :
FATAL ERROR: /etc/snort/snort.conf(0) Unable to open rules file "/etc/snort/snort.conf": No such file or directory.
This means either the file is missing or the path is incorrect.
The issue isnβt with the installation itselfβitβs with the system service (systemd / init.d) not being able to find the
snort.confconfiguration file.
πΉ Steps to fix the issue
1οΈβ£ Verify if snort.conf exists
root@aas:~# ls -l /etc/snort/
total 8
drwxr-xr-x 2 root root 4096 Ψ³Ψ¨Ψͺ 12 17:42 rules
-rw------- 1 root root 803 Ψ³Ψ¨Ψͺ 12 17:42 snort.debian.conf
-
The main snort.conf file is missing.
-
Only
snort.debian.confexists. This is the default Debian/Ubuntu configuration file, not the standard Snort. -
The
rulesfolder exists, but the main rules filesnort.confis missing. β The systemd/init.d service can't start Snort.
2οΈβ£ Create a new snort.conf file :
root@aas:~# cd /etc/snort/
root@aas:/etc/snort# ls
rules snort.debian.conf
root@aas:/etc/snort# sudo nano snort.conf
3οΈβ£ Add basic settings to run Snort
- After research, I used the following configuration:
######################################################
# Snort Configuration File
# Version: 2.9.15.1
# Author: Abdelwahab Shandy - Config for IDS Testing
######################################################
#-------------------
# Network Variables
#------------------
# Internal network that Snort will monitor
ipvar HOME_NET 10.0.2.0/24
# All other networks are considered external
ipvar EXTERNAL_NET any
#------------
# Rule Paths
#------------
# Path for Snort rule files
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
#---------------
# Include Rules
#---------------
# Include your local rules (local.rules)
include $RULE_PATH/local.rules
#-----------------
# Output Settings
#-----------------
# Output alerts directly to the console
output alert_fast: stdout
#---------------
# Preprocessors
#---------------
# Frag3 preprocessor settings
preprocessor frag3_global: max_frags 65536
# Stream5 preprocessor settings
preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes
preprocessor stream5_tcp: policy linux, detect_anomalies
preprocessor stream5_udp:
preprocessor stream5_icmp:
#############################
# End of Snort Configuration
#############################
-
Frag3 is responsible for IP fragmentation so Snort can understand them as a single unit and detect attacks.
-
Stream5 is responsible for session tracking and reassemblingTCP/UDP/ICMP streams so Snort can apply rules to the correct data in the correct order.
3οΈβ£ Create the local rules file :
root@aas:/etc/snort# sudo nano rules/local.rules
- Add a simple test rule, for example:
alert icmp any any -> any any (msg:"ICMP test detected"; sid:1000001; rev:1;)
4οΈβ£ Test the configuration to verify if the issue is resolved:
root@aas:/etc/snort# snort -T -c /etc/snort/snort.conf
Output:
Rule application order: pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
[ Port Based Pattern Matching Memory ]
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.15.1 GRE (Build 15125)
'''' By Martin Roesch & The Snort Team
Using libpcap version 1.10.1
Using PCRE version: 8.39
Using ZLIB version: 1.2.11
Snort successfully validated the configuration!
Snort exiting
-
This means Snort configuration is now successfully validated.
-
snort.confis valid: all paths and rules exist and are correct. -
Preprocessors are working: protocol analysis and other settings are ready.
-
Snort is not running yet: the
-Toption only tests the configuration, so Snort exits after the test.
Testing live alerts:
- Run Snort to see alerts directly:
sudo snort -i lo -c /etc/snort/snort.conf -A console
-
Monitoring the loopback interface (
lo) -
Iβll ping from the same machine for simplicity instead of using another VM.
From another terminal:
aas@aas:~$ ping 10.0.2.15
Output:
WARNING: No preprocessors configured for policy 0.
09/12-18:28:23.648061 [**] [1:1000001:1] ICMP test detected [**] [Priority: 0] {ICMP} 10.0.2.15 -> 10.0.2.15
-
This confirms the rule is working: Snort captures any ICMP traffic on the monitored interface (
lo). -
Running on the
enp0s3interface did not trigger alerts because internal pings go throughlo, notenp0s3. -
Pinging from another device on the
10.0.2.0/24network will trigger an alert immediately.
This was just a test. Everything is now set, so we can proceed to the main task.
Preparing and testing Nmap scan detection
1οΈβ£ Add Nmap rules to local.rules
- We start with some of the most common Nmap scan types.
1οΈβ£ Open the local rules file
nano /etc/snort/rules/local.rules
- Here is the snort rule structure:
action protocol sourceIP sourceport -> destinationIP destinationport ([Rule options])
-
EX :
-
A. Ping Sweep detection
# Ping Sweep Detector
alert icmp any any -> 10.0.2.15 any (msg:"NMAP Ping Sweep Scan"; dsize:0; sid:1000002; rev:1;)
- B.NULL Scan detection
action protocol sourceIP sourceport -> destinationIP destinationport ([Rule options])
- C.TCP Scan detection on port 22 :
alert tcp any any -> 10.0.2.15 22 (msg:"NMAP TCP Scan"; sid:1000003; rev:1;)
- D.XMAS Scan detection :
alert tcp any any -> 10.0.2.15 22 (msg:"NMAP XMAS Scan"; flags:FPU; sid:1000004; rev:1;)
- E.FIN Scan detection
alert tcp any any -> 10.0.2.15 22 (msg:"NMAP FIN Scan"; flags:F; sid:1000005; rev:1;)
- F.UDP Scan detection on port 68:
alert udp any any -> 10.0.2.15 68 (msg:"NMAP UDP Scan"; sid:1000007; rev:1;)
- Final combined file will look like:
# --------------------------------
# Nmap Detection Rules for Snort :
# --------------------------------
# ICMP Test Detection
alert icmp any any -> any any (msg:"ICMP test Detected!!!"; sid:10000010; rev:1;)
# NMAP Ping Sweep
alert icmp any any -> any any (msg:"NMAP Ping Sweep Scan!!!"; dsize:0; sid:10000020; rev:1;)
# NMAP TCP Scan
alert tcp any any -> any any (msg:"NMAP TCP Scan!!!"; flags:S; sid:10000030; rev:1;)
# NMAP XMAS Scan
alert tcp any any -> any any (msg:"NMAP XMAS Scan!!!"; flags:FPU; sid:10000040; rev:1;)
# NMAP FIN Scan
alert tcp any any -> any any (msg:"NMAP FIN Scan!!!"; flags:F; sid:10000050; rev:1;)
# NMAP NULL Scan
alert tcp any any -> any any (msg:"NMAP NULL Scan!!!"; flags:0; sid:10000060; rev:1;)
# NMAP UDP Scan
alert udp any any -> any any (msg:"NMAP UDP Scan!!!"; sid:10000070; rev:1;)
Explanation of each rule
| Rule | What it detects | How it works |
|---|---|---|
| ICMP Test | any simple ping | any ICMP packet sent to the host |
| NMAP Ping Sweep | host discovery attempts | ICMP echo with dsize:0 often used by Nmap Ping Sweep |
| NMAP TCP Scan | TCP SYN scan across ports | any TCP SYN packet from Nmap or other TCP scanners |
| NMAP XMAS Scan | TCP XMAS scan | any TCP packet with FIN+PSH+URG flags β a common Nmap scan type |
| NMAP FIN Scan | TCP FIN scan | any TCP packet with only FIN flag β used to probe ports without establishing a full connection |
| NMAP NULL Scan | TCP NULL scan | any TCP packet with no flags β attempt to bypass some firewalls |
| NMAP UDP Scan | UDP scan | any UDP packet to any port; Nmap uses this to discover services |
- After saving the file, test the configuration:
sudo snort -T -c /etc/snort/snort.conf
- You should see:
Snort successfully validated the configuration! Snort exiting
- If that appears, everything is fine.
Now Iβll test from the same machine
Because I will run the scans from the same machine (Target), I need to use the loopback interface (
lo) or the targetβs internal IP10.0.2.15when running Snort, since scans from the same host wonβt traverseenp0s3directly.
1οΈβ£ Start Snort on loopback (lo):
sudo snort -A console -q -c /etc/snort/snort.conf -i lo
-A console : show alerts on the terminal\
-q : quiet mode to reduce noise
2οΈβ£ In another terminal, start scanning from the same host:
- First β Ping Sweep / ICMP Test:
ping 10.0.2.15
- Snort produced the alert:
ICMP test detected:
09/12-22:16:36.831126 [**] [1:10000010:1] ICMP test Detected!!! [**] [Priority: 0] {ICMP} 10.0.2.15 -> 10.0.2.15
Now Iβll test from the Attacker VM:
-
Target / Snort (Ubuntu) IP:
10.0.2.15on interfaceenp0s3 -
Start Snort on
enp0s3:
sudo snort -A console -q -c /etc/snort/snort.conf -i enp0s3
Temporarily open SSH port on the Target (Ubuntu) :
sudo systemctl start ssh
sudo systemctl enable ssh # if you want it persistent after reboot
sudo ufw allow 22/tcp # if UFW is active
- Now port 22 is open on the Target.
Second β TCP SYN Scan from the Attacker:
# To detect open ports quickly and less obviously than a regular scan.
sudo nmap -sS 10.0.2.15
Alert: NMAP TCP Scan:
09/12-22:17:28.232537 [**] [1:10000030:1] NMAP TCP Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:59006 -> 10.0.2.15:80
09/12-22:17:28.232541 [**] [1:10000030:1] NMAP TCP Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:59006 -> 10.0.2.15:139
09/12-22:17:28.232545 [**] [1:10000030:1] NMAP TCP Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:59006 -> 10.0.2.15:25
Third β XMAS Scan from the Attacker:
# To detect open ports in stealth mode (using packets containing FIN, PSH and URG flags together).
sudo nmap -sX 10.0.2.15
Alert: NMAP XMAS Scan:
09/12-22:21:59.585254 [**] [1:10000040:1] NMAP XMAS Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:42309 -> 10.0.2.15:5952
09/12-22:21:59.585259 [**] [1:10000040:1] NMAP XMAS Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:42309 -> 10.0.2.15:5510
09/12-22:22:00.602432 [**] [1:10000040:1] NMAP XMAS Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:42310 -> 10.0.2.15:22
FIN Scan from the Attacker
# To detect open ports in stealth mode (using FIN packets instead of SYN).
sudo nmap -sF 10.0.2.15
Alert: NMAP FIN Scan:
09/12-22:22:51.010337 [**] [1:10000050:1] NMAP FIN Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:37063 -> 10.0.2.15:1148
09/12-22:22:51.010342 [**] [1:10000050:1] NMAP FIN Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:37063 -> 10.0.2.15:787
09/12-22:22:51.010346 [**] [1:10000050:1] NMAP FIN Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:37063 -> 10.0.2.15:7001
NULL Scan from the Attacker
# To identify open or closed ports in stealth mode (without any flags in the TCP header).
sudo nmap -sN 10.0.2.15
Alert: NMAP NULL Scan:
09/12-22:23:40.987444 [**] [1:10000060:1] NMAP NULL Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:37800 -> 10.0.2.15:6129
09/12-22:23:40.987448 [**] [1:10000060:1] NMAP NULL Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:37800 -> 10.0.2.15:27356
09/12-22:23:40.987452 [**] [1:10000060:1] NMAP NULL Scan!!! [**] [Priority: 0] {TCP} 10.0.2.15:37800 -> 10.0.2.15:10566
UDP Scan from the Attacker
# To detect open UDP ports and the services running on them.
sudo nmap -sU 10.0.2.15
Alert: NMAP UDP Scan:
09/12-22:24:41.947120 [**] [1:10000010:1] ICMP test Detected!!! [**] [Priority: 0] {ICMP} 10.0.2.15 -> 10.0.2.15
09/12-22:24:41.947123 [**] [1:10000070:1] NMAP UDP Scan!!! [**] [Priority: 0] {UDP} 10.0.2.15:56847 -> 10.0.2.15:112
09/12-22:24:41.947124 [**] [1:10000010:1] ICMP test Detected!!! [**] [Priority: 0] {ICMP} 10.0.2.15 -> 10.0.2.15
09/12-22:24:43.006069 [**] [1:10000070:1] NMAP UDP Scan!!! [**] [Priority: 0] {UDP} 10.0.2.15:56848 -> 10.0.2.15:5353
- The ICMP messages you see are not from a normal
pingβ they are the ICMP responses that occur when a UDP scan probes closed ports.
The host was noisy (responding) but everything behaved as expected.
Summary / Conclusion
-
Snort is successfully configured as an IDS on Ubuntu.
-
All tested Nmap scan types were detected accurately.
-
The environment is ready for further monitoring and packet analysis (PCAP/Wireshark).
π¬ "Control the code, and you control the world." π From wiping metadata to gaining root access β every step is documented and my goal is to deeply understand the system, not just hack!
See You Soon