CORE DEFENSIVE TECHNICAL SKILLS

Overview

I deployed Snort as both an Intrusion Detection System and an Intrusion Prevention System. I compiled required components, tuned rules, and validated detection with controlled tests before enabling inline blocking.
(How to Implement IDS-IPS)

Objectives

Install Snort with required libraries and DAQ.
Configure network variables, rule paths, and logging.
Validate detection and optionally enable inline prevention.
Document architecture, rules enabled, and test results.

Prerequisites

Ubuntu or comparable Linux host with sudo access
Basic Linux shell skills

Tools and technologies

Snort, DAQ, Linux
Wireshark and tcpdump for packet validation
Centralized logging destination

Implementation

1. Update the system

sudo apt update
sudo apt upgrade -y

2. Install build dependencies

sudo apt install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev libssl-dev libluajit-5.1-dev libtirpc-dev pkg-config

3. Build and install DAQ

Download DAQ source, extract, then ./configure && make && sudo make install.
Verify with ldconfig -p | grep daq.

4. Build and install Snort

Download the latest Snort 2 source, extract, then ./configure --enable-sourcefire && make && sudo make install.
sudo ldconfig and symlink snort into path if needed.

5. Create directories

/etc/snort, /etc/snort/rules, /var/log/snort, /usr/local/lib/snort_dynamicrules.

6. Load rules and base config

Copy community rules into /etc/snort/rules.
Copy default configuration files to /etc/snort.
Edit /etc/snort/snort.conf:
- Set HOME_NET to your subnet, for example 192.168.1.0/24.
- Set RULE_PATH and include community rules.

7. Test configuration

sudo snort -T -c /etc/snort/snort.conf to validate.

8. Run in IDS mode

sudo snort -A console -q -c /etc/snort/snort.conf -i <interface>.
Generate benign traffic and confirm alerts and logs under /var/log/snort.

9. Optional IPS inline mode

In snort.conf, set config policy_mode:inline.
Run inline: sudo snort -Q --daq afpacket -c /etc/snort/snort.conf -i eth0:eth1 using bridged interfaces.
Verify that malicious test traffic is blocked.

10. Monitor and document

Tail alerts with sudo tail -f /var/log/snort/alert.
Record rule sets enabled, false positive notes, and engine versions.

Outcomes

Working IDS with validated alerts and optional inline IPS that blocks known bad patterns.
A baseline for rule tuning and integration with a Security Information and Event Management system later.

Skills demonstrated

IDS and IPS deployment and tuning
Packet analysis and rule management
Linux build and service operations

← Network Defense Design

Packet Detective →

Google Sites

Report abuse