IDS Fundamentals – Snort (Practical Learning Guide)

Intrusion Detection Systems (IDS) are an essential part of modern cybersecurity. They help detect malicious activities inside a network after traffic has already passed through the firewall. In this blog, we will explore the basics of IDS, types of IDS, Snort IDS, rule creation, and a practical forensic investigation using a PCAP file.

---

What is an IDS?

An Intrusion Detection System (IDS) is a security tool that monitors network traffic and detects suspicious or malicious activity.

A firewall works like a gatekeeper, controlling who enters or leaves the network. However, if an attacker bypasses the firewall, the IDS acts like surveillance cameras, monitoring activities inside the network.

When IDS detects suspicious activity, it generates alerts for security administrators, but it does not block the attack.

Answer

Can an IDS prevent the threat after detecting it?
Answer: Nay

---

Types of IDS

IDS systems are classified based on deployment mode and detection technique.

1. Host Intrusion Detection System (HIDS)

• Installed on individual devices.

• Monitors activities of that specific host.

• Provides detailed visibility.

Disadvantage: Hard to manage in large networks.

---

2. Network Intrusion Detection System (NIDS)

• Monitors the entire network traffic.

• Detects suspicious activity across all hosts.

• Provides a centralized view of threats.

Answer

Which type of IDS is deployed to detect threats throughout the network?
Answer: Network Intrusion Detection System (NIDS)

---

Detection Modes of IDS

Signature-Based IDS

• Detects attacks using known patterns (signatures).

• Fast detection for known threats.

Limitation: Cannot detect zero-day attacks.

---

Anomaly-Based IDS

• Learns the normal behavior of a network.

• Detects deviations from normal activity.

Advantage: Can detect zero-day attacks.

Limitation: Can produce false positives.

---

Hybrid IDS

• Combines signature-based detection and anomaly detection.

Answer

Which IDS leverages both signature-based and anomaly-based detection techniques?
Answer: Hybrid IDS

---

Snort IDS

Snort is one of the most widely used open-source IDS tools, developed in 1998.

It detects threats using:

• Signature-based detection

• Anomaly-based detection

Snort uses rules to identify suspicious traffic. These rules can be:

• Default rules

• Custom rules

Administrators can create their own rules to detect specific types of network traffic.

---

Snort Operating Modes

Snort can operate in three modes.

1. Packet Sniffer Mode

• Reads network packets

• Displays traffic without analysis

Use Case: Network troubleshooting.

---

2. Packet Logging Mode

• Logs traffic into PCAP files

• Useful for forensic investigation.

Answer

Which mode logs network traffic in PCAP format?
Answer: Packet Logging Mode

---

3. Network Intrusion Detection System Mode

• The primary mode of Snort.

• Monitors network traffic in real time.

• Matches packets against rule signatures.

Answer

What is the primary mode of Snort?
Answer: Network Intrusion Detection System (NIDS) Mode

---

Snort File Structure

Snort configuration files are stored in:

/etc/snort

This directory contains:

• configuration files

• rule files

• detection settings

Answer

Where is the main directory of Snort?
Answer: /etc/snort

---

Snort Rule Structure

A basic Snort rule contains several components:

alert icmp any any -> $HOME_NET any (msg:"Ping Detected"; sid:10001; rev:1;)

Rule Components

Action
Defines what Snort should do when the rule matches.

Example:

alert

---

Protocol

Defines which protocol to monitor.

Example:

icmp

Answer

Which protocol is defined in the sample rule?
Answer: icmp

---

Source IP and Port

Defines where the traffic originates.

Example:

any any

---

Destination IP and Port

Defines where the traffic is going.

Example:

$HOME_NET any

---

Rule Metadata

Includes extra details about the rule.

Important fields include:

msg – Alert message
sid – Unique rule identifier
rev – Rule revision number

Answer

Which field indicates the revision number?
Answer: rev

---

Custom Rules in Snort

Custom rules are stored in:

/etc/snort/rules/local.rules

Answer

Which file contains custom rules?
Answer: local.rules

---

Running Snort

Command to run Snort for real-time detection:

sudo snort -q -l /var/log/snort -i lo -A console -c /etc/snort/snort.conf

This command:

• runs Snort quietly

• logs alerts

• monitors network traffic

• uses Snort configuration file

---

Running Snort on PCAP Files

Sometimes security analysts need to investigate previous network attacks.

Snort can analyze stored traffic using PCAP files.

Command:

sudo snort -q -l /var/log/snort -r Task.pcap -A console -c /etc/snort/snort.conf

This allows analysts to detect malicious traffic in historical network captures.

---

Practical Forensic Investigation

Scenario:

You are a forensic investigator analyzing a captured network traffic file named:

Intro_to_IDS.pcap

This PCAP file is located in:

/etc/snort/

Your task is to analyze the traffic using Snort.

---

Investigation Results

Question 1

What is the IP address that tried to connect using SSH?

Answer:

10.11.90.211

---

Question 2

What other rule message was detected besides SSH?

Answer:

Ping Detected

---

Question 3

What is the SID of the SSH detection rule?

Answer:

1000002

---

Final Summary

In this lab we learned:

• What an Intrusion Detection System (IDS) is

• Differences between HIDS and NIDS

• Detection methods like Signature, Anomaly, and Hybrid IDS

• How Snort IDS works

• Snort modes of operation

• Creating custom rules

• Investigating PCAP files using Snort

Snort is a powerful open-source IDS tool widely used by security analysts, SOC teams, and forensic investigators.