Exploring Intrusion Detection Systems: A Hands-On Approach
- Evo-user
- May 24
- 10 min read
In the ever-evolving world of cybersecurity, theoretical knowledge alone isn’t enough—learning by doing is crucial for mastering real-world applications. Setting up an Intrusion Detection System (IDS) not only helps in understanding network security threats but also prepares professionals to tackle emerging cyberattacks with confidence.
This project dives into the implementation of Snort IDS—a widely used open-source intrusion detection tool—integrating it with the ELK Stack (Elasticsearch, Logstash, Kibana) to visualize incoming threats in real time. By actively configuring IDS rules, simulating attacks, and analyzing logs through Kibana dashboards, this project transforms knowledge into practice.
Meet the Contributor: Mr. Rohil Gajjar
This project was spearheaded and executed fully by Rohil, a passionate cybersecurity enthusiast currently honing his skills as a Penetration Testing Trainee with us. With a B.Tech in Computer Engineering, Rohil has developed a strong foundation in network security and Penetration Testing
His key areas of interest include:
Vulnerability Assessment and Penetration Testing (VAPT)
Network Security
Web Application Security
Driven by curiosity and a hands-on approach, Rohil actively explores cybersecurity challenges, making impactful contributions to this project. His work in integrating Snort IDS with the ELK Stack demonstrates his dedication to learning and improving network security monitoring.
Project Overview
This project was designed to simulate and analyze cyber threats, specifically:
Port scanning attacks
Brute-force SSH authentication attempts
Using Snort 2.9, a powerful IDS deployed in a host-based configuration, network threats were actively monitored and detected. The alerts generated by Snort were seamlessly forwarded to the ELK Stack, enabling efficient parsing, analysis, and visualization—resulting in an actionable threat monitoring dashboard.
Key Objectives
Install and configure Snort 2.9 to detect suspicious network activities.
Simulate cyberattacks (port scanning, brute-force attempts) to test detection mechanisms.
Integrate Snort logs with the ELK Stack for structured data analysis.
Build a Kibana dashboard for streamlined alert visualization.
By combining Snort IDS with ELK, security teams can effectively track attack patterns, enhance network defense, and develop proactive mitigation strategies.
System Architecture
The setup consists of two Ubuntu 22.04 virtual machines:
Snort Server (Host-Based IDS)
Runs Snort IDS in monitoring mode.
Detects Indicators-of-Compromise (IoCs), such as port scanning attempts and SSH brute-force attacks using predefined rules.
Log Analysis Desktop (ELK Stack Integration)
Hosts the ELK Stack (Elasticsearch, Logstash, Kibana).
Receives Snort logs via Filebeat and provides real-time data visualization.

Setting Up Snort IDS
Snort is a powerful open-source Intrusion Detection System (IDS) designed to monitor network traffic, detect suspicious behavior, and generate alerts based on predefined rules. Below is a step-by-step guide to installing and configuring Snort on Ubuntu 22.04.
Installation
Snort can be installed using the following command:
sudo apt-get install snort
Once installed, ensure Snort is properly configured by verifying its version:
snort -V
This confirms that Snort is installed and ready for use.
Configuration
To optimize Snort for effective intrusion detection, key parameters must be set within the snort.conf configuration file.
Define Network Variables
In the snort.conf file, set up key environment variables to specify the monitored network range:
var HOME_NET [192.168.56.0/24]
var EXTERNAL_NET any
Enable the Port Scanning Preprocessor
The sfportscan preprocessor helps detect port scanning attempts. The following configuration enables port scan tracking with controlled sensitivity:
preprocessor sfportscan: \
proto { all } \
memcap 10000000 \
sense_level low \
logfile /var/log/snort/portscan.log
Parameter | Purpose |
Proto {all} | Monitors all protocols (TCP, UDP, ICMP, etc.) |
logfile | Defines path to save port scan log file |
memcap 10000000 | Allocates memory cap for tracking scans (10 MB) |
sense_level low | Adjusts sensitivity of detection (low, medium, high) |
Custom Rule for SSH Brute Force Detection
Brute-force attacks target SSH authentication by rapidly guessing passwords. The following Snort custom rule detects multiple failed login attempts and flags them:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"Multiple SSH Login Attempts Detected"; flags:S; \
threshold:type both, track by_src, count 5, seconds 60; sid:1000001; rev:1;)
Parameter | Purpose |
alert | Action triggered when rule conditions are met |
tcp | Protocol being monitored (TCP) |
$EXTERNAL_NET any -> $HOME_NET 22 | Monitors incoming traffic targeting SSH (port 22) |
msg | Displays custom alert message upon detection |
flag S | Identifies SYN Packets initiating an SSH connection |
threshold:type both, track by_src, count 5, seconds 60; | Limits excessive alerts (5 attempts in 60 sec) |
Save Configuration and Restart Snort
Once configurations are complete, restart Snort to apply changes:
sudo systemctl restart snort
Snort is now ready to detect various attack patterns and log alerts for further analysis.
Simulating Attacks: Testing Snort IDS
To validate Snort’s effectiveness in detecting real-world cyber threats, multiple attack simulations were conducted. The two primary scenarios tested were port scanning and brute-force SSH attacks, commonly seen in cybersecurity incidents.
Port Scanning Attack Simulation
Port scanning is a reconnaissance technique where attackers probe a system to identify open ports that might be vulnerable. The following steps were performed to simulate and detect port scanning attempts using nmap.
Attack Execution (from Attacker VM)
The attacker used `nmap` to scan open ports on the target machine:
sudo nmap -sS -p- 192.168.56.103

Snort Detection:
The `sfportscan` preprocessor flagged multiple scan attempts.
Alerts were logged, showing attempts to access SNMP and TFTP ports.

By monitoring these alerts, security teams can proactively detect potential reconnaissance attempts, preventing attackers from identifying exploitable entry points.
SSH Brute-Force Attack Simulation
Brute-force attacks attempt to gain unauthorized access by systematically guessing login credentials. Snort was configured to identify multiple failed SSH authentication attempts
Attack Execution
Using Hydra, a brute-force attack was launched against the target system:
hydra -L rockyou.txt -p 12345 ssh://192.168.56.103

Snort Detection:
The custom rule triggered an alert upon detecting five failed attempts from the same source within 60 seconds.
Logged alerts indicated suspicious activity, highlighting the attacker's IP address.

Why Simulated Attacks Matter
By conducting controlled attack simulations, security teams can:
Test Snort IDS rule effectiveness in detecting threats.
Fine-tune detection parameters to minimize false positives.
Enhance cybersecurity strategies by understanding attacker behavior.
Working with Snort Logs: Capturing & Analyzing Intrusion Alerts
Once Snort IDS is actively monitoring network traffic, it generates logs that provide valuable insights into detected threats. These logs serve as the foundation for incident response, forensic analysis, and security reporting.
Snort Log Formats
Snort provides multiple logging formats, each suited for different analysis needs. The key formats include:
Fast Alert Mode – Lightweight, readable format used for quick incident response.
Full Alert Mode – Provides detailed packet information for forensic analysis.
Binary Mode (pcap) – Captures raw network traffic, useful for deep packet inspection.
In this setup, Fast Alert Mode was selected for simplicity and efficiency.
Log Storage Location:
Snort logs are stored in the following directory:
/var/log/snort/snort.alert.fast
Log Analysis: Understanding Detected Threats
Once an attack occurs, Snort generates alerts indicating the type of suspicious activity detected. Below is a snippet of how Snort logs a detected brute-force SSH attack:
[**] [1:1000001:1] Multiple SSH Login Attempts Detected [**]
[Priority: 1] {TCP} 192.168.56.103 -> 192.168.56.102

Breakdown of the Log Entry:
Log Component | Description | Significance |
1:1000001:1 | Rule ID (Generator ID: 1, Snort SID: 1000001, Rev: 1 | Identifies the specific Snort rule that triggered the alert. |
Multiple SSH Login | Alert Message generated by the rule. | Describes the detected suspicious activity. |
Priority:1 | Severity Level assigned by Snort | Indicates a high-priority event requiring immediate attention. |
192.168.56.102 --> 192.168.56.103 | Source and Destination IPs | Displays the attacker's IP (192.168.56.102) and the target VM's IP (192.168.56.103). |
{TCP} | Protocol involved in the alert | Shows that the detected activity occurred over TCP. |
Security teams can use these logs to identify attack sources, monitor attack trends, and refine Snort rules to enhance detection accuracy.
Integrating Snort with the ELK Stack
Now that Snort is actively detecting and logging security alerts, the next step is to integrate Snort logs with the ELK Stack for advanced data processing and visualization.
ELK Stack Setup
The ELK Stack (Elasticsearch, Logstash, Kibana) enables efficient log processing and threat monitoring. Here’s how the components interact:
Elasticsearch – Stores and indexes Snort alerts for fast search retrieval.
Logstash – Parses and enriches raw Snort logs.
Kibana – Provides intuitive visual dashboards for analyzing security incidents.
Configuring Logstash
Logstash acts as the processing pipeline that receives Snort logs and prepares them for indexing in Elasticsearch.
Input Configuration: Listening for logs sent from Filebeat.

Filter Configuration: Parsing Snort alerts using Grok patterns to extract key fields.

Output Configuration: Sending formatted logs to Elasticsearch for indexing.

input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{DATA:timestamp} \[%{INT:gid}:%{INT:sid}:%{INT:rev}\] %{GREEDYDATA:alert}" }
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "snort-alerts-%{+YYYY.MM.dd}"
}
}
Filebeat Setup on Snort Server
To forward logs efficiently, Filebeat is configured on the Snort server to capture alerts and transmit them to Logstash.
Installed Filebeat and configured it to monitor Snort’s Fast Alert logs stored at:
/var/log/snort/snort.alert.fast
Filebeat was set to send logs to Logstash at port 5044, ensuring structured ingestion. (YAML Format)
filebeat.inputs:
- type: log
paths:
- /var/log/snort/snort.alert.fast
output.logstash:
hosts: ["192.168.56.103:5044"]

Verifying Integration
Once Snort logs are forwarded:
Logstash processes alerts and sends them to Elasticsearch.
Elasticsearch indexes threat data for query-based searches.
Kibana visualizes attack patterns in real-time dashboards.
Visualizing Logs in Kibana
Now that Snort alerts are successfully flowing into Elasticsearch, it’s time to visualize this data using Kibana. Kibana enables security teams to explore attack trends, analyze source/destination IPs, and monitor common threats with interactive dashboards.
Creating an Index Pattern in Kibana
To start analyzing Snort logs in Kibana:
Navigate to Kibana → Stack Management → Data Views.
Create a new Data View using the pattern:
snort-alerts-*

Save the configuration and move to the Discover section.

Analyzing Snort Alerts in Kibana
Once logs are indexed, users can search, filter, and explore attack alerts efficiently. Kibana allows analysis based on:
Timestamp – Tracking when attacks occurred.
Source/Destination IPs – Identifying attackers and targeted systems.
Network Protocols – Categorizing alerts (TCP, UDP, ICMP, etc.).
Alert Messages – Understanding detected attack patterns.


Creating Dashboards for Real-Time Monitoring
Custom dashboards in Kibana help security teams visualize attack trends over time. Some meaningful insights include:
Alert Frequency Over Time – Detecting attack spikes and patterns.
Source IP Heatmap – Pinpointing frequent attackers.
Port Attack Trends – Identifying commonly targeted ports.
Intrusion Type Analysis – Categorizing attack vectors (port scans, brute force).


This structured visualization enables rapid threat detection, proactive security defense, and better incident response strategies.
Challenges & Fixes
Every cybersecurity deployment comes with obstacles, and setting up Snort IDS with the ELK Stack was no exception. Below are some of the key challenges encountered during implementation and how they were resolved.
Problem | Fix |
Elasticsearch and Logstash failed to start due to incompatible dependencies. | Ensured installation was done using a Java 8-compatible environment, resolving version conflicts. |
Snort failed to detect port scanning attempts consistently. | Fine-tuned Snort preprocessor rules and adjusted IP variables in snort.conf to accurately track suspicious activity. |
Elasticsearch failed to launch due to improper heap size configuration. | Reverted manual heap size changes and optimized Elasticsearch settings to ensure stability. |
Large volumes of Snort logs caused slow log ingestion into ELK | Implemented Logstash pipelines, Grok parsing optimization, and index lifecycle policies to manage data efficiently. |
By addressing these challenges, the Snort + ELK integration became a reliable, scalable intrusion detection solution capable of real-time threat analysis and visualization.
Final Thoughts & Takeaways
Successfully integrating Snort IDS with the ELK Stack demonstrates the power of proactive network security monitoring. This project showcases how intrusion detection systems can help analyze attack patterns, visualize threats, and strengthen cybersecurity defenses.
By simulating port scanning and brute-force attacks, we tested Snort’s effectiveness, ensuring alerts were processed, indexed, and displayed via Kibana dashboards. These visual insights empower security teams to make informed decisions and quickly respond to potential threats before they escalate.
Key Learnings from the Project
Snort IDS can effectively detect reconnaissance and brute-force attempts using predefined rules.
The ELK Stack enhances threat visibility by transforming raw alerts into structured, actionable data.
Combining Filebeat, Logstash, Elasticsearch, and Kibana enables efficient security event correlation and analysis.
Fine-tuning IDS rules and optimizing log parsing significantly improves detection accuracy while reducing false positives.
This setup serves as a valuable learning experience for cybersecurity professionals, demonstrating a hands-on approach to network defense through real-world simulations.
A Note of Appreciation for Mr. Rohil
We extend our sincere appreciation to Mr. Rohil for his dedication and hard work in configuring, testing, and fine-tuning Snort IDS with ELK. His hands-on approach, passion for cybersecurity, and problem-solving mindset were instrumental in making this project a success.
Rohil’s contributions reflect a strong commitment to cybersecurity research and practical implementation. His efforts in rule optimization, attack simulation, and threat visualization demonstrate exceptional skill and initiative.
We encourage him to continue exploring network security, VAPT, and advanced threat detection techniques — his future in cybersecurity looks promising!
Rohil can be reached via his Linkedin
コメント