Exploring Intrusion Detection Systems: A Hands-On Approach

Evo-user
May 24
10 min read

In the ever-evolving world of cybersecurity, theoretical knowledge alone isn’t enough—learning by doing is crucial for mastering real-world applications. Setting up an Intrusion Detection System (IDS) not only helps in understanding network security threats but also prepares professionals to tackle emerging cyberattacks with confidence.

This project dives into the implementation of Snort IDS—a widely used open-source intrusion detection tool—integrating it with the ELK Stack (Elasticsearch, Logstash, Kibana) to visualize incoming threats in real time. By actively configuring IDS rules, simulating attacks, and analyzing logs through Kibana dashboards, this project transforms knowledge into practice.

Meet the Contributor: Mr. Rohil Gajjar

This project was spearheaded and executed fully by Rohil, a passionate cybersecurity enthusiast currently honing his skills as a Penetration Testing Trainee with us. With a B.Tech in Computer Engineering, Rohil has developed a strong foundation in network security and Penetration Testing

His key areas of interest include:

Vulnerability Assessment and Penetration Testing (VAPT)
Network Security
Web Application Security

Driven by curiosity and a hands-on approach, Rohil actively explores cybersecurity challenges, making impactful contributions to this project. His work in integrating Snort IDS with the ELK Stack demonstrates his dedication to learning and improving network security monitoring.

Project Overview

This project was designed to simulate and analyze cyber threats, specifically:

Port scanning attacks
Brute-force SSH authentication attempts

Using Snort 2.9, a powerful IDS deployed in a host-based configuration, network threats were actively monitored and detected. The alerts generated by Snort were seamlessly forwarded to the ELK Stack, enabling efficient parsing, analysis, and visualization—resulting in an actionable threat monitoring dashboard.

Key Objectives

Install and configure Snort 2.9 to detect suspicious network activities.
Simulate cyberattacks (port scanning, brute-force attempts) to test detection mechanisms.
Integrate Snort logs with the ELK Stack for structured data analysis.
Build a Kibana dashboard for streamlined alert visualization.
By combining Snort IDS with ELK, security teams can effectively track attack patterns, enhance network defense, and develop proactive mitigation strategies.

System Architecture

The setup consists of two Ubuntu 22.04 virtual machines:

Snort Server (Host-Based IDS)

Runs Snort IDS in monitoring mode.
Detects Indicators-of-Compromise (IoCs), such as port scanning attempts and SSH brute-force attacks using predefined rules.

Log Analysis Desktop (ELK Stack Integration)

Hosts the ELK Stack (Elasticsearch, Logstash, Kibana).
Receives Snort logs via Filebeat and provides real-time data visualization.

Network security project overview: An Ubuntu server with Snort in IDS mode collects and ships logs to a logging machine using Filebeat. These logs are then monitored and visualized on an Ubuntu desktop configured with the ELK Stack.

Setting Up Snort IDS

Snort is a powerful open-source Intrusion Detection System (IDS) designed to monitor network traffic, detect suspicious behavior, and generate alerts based on predefined rules. Below is a step-by-step guide to installing and configuring Snort on Ubuntu 22.04.

Installation

Snort can be installed using the following command:

sudo apt-get install snort

Once installed, ensure Snort is properly configured by verifying its version:

snort -V

This confirms that Snort is installed and ready for use.

Configuration

To optimize Snort for effective intrusion detection, key parameters must be set within the snort.conf configuration file.

Define Network Variables

In the snort.conf file, set up key environment variables to specify the monitored network range:

var HOME_NET [192.168.56.0/24]

var EXTERNAL_NET any

Enable the Port Scanning Preprocessor

The sfportscan preprocessor helps detect port scanning attempts. The following configuration enables port scan tracking with controlled sensitivity:

preprocessor sfportscan: \

proto { all } \

memcap 10000000 \

sense_level low \

logfile /var/log/snort/portscan.log

Parameter	Purpose
Proto {all}	Monitors all protocols (TCP, UDP, ICMP, etc.)
logfile	Defines path to save port scan log file
memcap 10000000	Allocates memory cap for tracking scans (10 MB)
sense_level low	Adjusts sensitivity of detection (low, medium, high)

Custom Rule for SSH Brute Force Detection

Brute-force attacks target SSH authentication by rapidly guessing passwords. The following Snort custom rule detects multiple failed login attempts and flags them:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \

(msg:"Multiple SSH Login Attempts Detected"; flags:S; \

threshold:type both, track by_src, count 5, seconds 60; sid:1000001; rev:1;)

Parameter	Purpose
alert	Action triggered when rule conditions are met
tcp	Protocol being monitored (TCP)
$EXTERNAL_NET any -> $HOME_NET 22	Monitors incoming traffic targeting SSH (port 22)
msg	Displays custom alert message upon detection
flag S	Identifies SYN Packets initiating an SSH connection
threshold:type both, track by_src, count 5, seconds 60;	Limits excessive alerts (5 attempts in 60 sec)

Save Configuration and Restart Snort

Once configurations are complete, restart Snort to apply changes:

sudo systemctl restart snort

Snort is now ready to detect various attack patterns and log alerts for further analysis.

Simulating Attacks: Testing Snort IDS

To validate Snort’s effectiveness in detecting real-world cyber threats, multiple attack simulations were conducted. The two primary scenarios tested were port scanning and brute-force SSH attacks, commonly seen in cybersecurity incidents.

Port Scanning Attack Simulation

Port scanning is a reconnaissance technique where attackers probe a system to identify open ports that might be vulnerable. The following steps were performed to simulate and detect port scanning attempts using nmap.

Attack Execution (from Attacker VM)

The attacker used `nmap` to scan open ports on the target machine:

sudo nmap -sS -p- 192.168.56.103

Port scanning results using Nmap on IP address 192.168.56.103 reveal two open ports: SSH on port 22 and MySQL on port 3306.

Snort Detection:

The `sfportscan` preprocessor flagged multiple scan attempts.
Alerts were logged, showing attempts to access SNMP and TFTP ports.

Snort detected a port scan with attempted information leaks through SNMP requests, prioritizing the alert due to TCP traffic from IP 192.168.56.102

By monitoring these alerts, security teams can proactively detect potential reconnaissance attempts, preventing attackers from identifying exploitable entry points.

SSH Brute-Force Attack Simulation

Brute-force attacks attempt to gain unauthorized access by systematically guessing login credentials. Snort was configured to identify multiple failed SSH authentication attempts

Attack Execution

Using Hydra, a brute-force attack was launched against the target system:

hydra -L rockyou.txt -p 12345 ssh://192.168.56.103

Simulated brute force attack initiated using Hydra tool on a target IP, showcasing the tool's setup and progress with login attempts.

Snort Detection:

The custom rule triggered an alert upon detecting five failed attempts from the same source within 60 seconds.
Logged alerts indicated suspicious activity, highlighting the attacker's IP address.

Snort alert: Multiple SSH login attempts detected, indicating a possible brute-force attack by Hydra from 192.168.56.102 targeting 192.168.56.103 on port 22.

Why Simulated Attacks Matter

By conducting controlled attack simulations, security teams can:

Test Snort IDS rule effectiveness in detecting threats.
Fine-tune detection parameters to minimize false positives.
Enhance cybersecurity strategies by understanding attacker behavior.

Working with Snort Logs: Capturing & Analyzing Intrusion Alerts

Once Snort IDS is actively monitoring network traffic, it generates logs that provide valuable insights into detected threats. These logs serve as the foundation for incident response, forensic analysis, and security reporting.

Snort Log Formats

Snort provides multiple logging formats, each suited for different analysis needs. The key formats include:

Fast Alert Mode – Lightweight, readable format used for quick incident response.
Full Alert Mode – Provides detailed packet information for forensic analysis.
Binary Mode (pcap) – Captures raw network traffic, useful for deep packet inspection.

In this setup, Fast Alert Mode was selected for simplicity and efficiency.

Log Storage Location:

Snort logs are stored in the following directory:

/var/log/snort/snort.alert.fast

Log Analysis: Understanding Detected Threats

Once an attack occurs, Snort generates alerts indicating the type of suspicious activity detected. Below is a snippet of how Snort logs a detected brute-force SSH attack:

[**] [1:1000001:1] Multiple SSH Login Attempts Detected [**]

[Priority: 1] {TCP} 192.168.56.103 -> 192.168.56.102

Snort Log Analysis: Detected Bruteforce and Information Leak Attempts with Multiple Login Failures.

Breakdown of the Log Entry:

Log Component	Description	Significance
1:1000001:1	Rule ID (Generator ID: 1, Snort SID: 1000001, Rev: 1	Identifies the specific Snort rule that triggered the alert.
Multiple SSH Login	Alert Message generated by the rule.	Describes the detected suspicious activity.
Priority:1	Severity Level assigned by Snort	Indicates a high-priority event requiring immediate attention.
192.168.56.102 --> 192.168.56.103	Source and Destination IPs	Displays the attacker's IP (192.168.56.102) and the target VM's IP (192.168.56.103).
{TCP}	Protocol involved in the alert	Shows that the detected activity occurred over TCP.

Security teams can use these logs to identify attack sources, monitor attack trends, and refine Snort rules to enhance detection accuracy.

Integrating Snort with the ELK Stack

Now that Snort is actively detecting and logging security alerts, the next step is to integrate Snort logs with the ELK Stack for advanced data processing and visualization.

ELK Stack Setup

The ELK Stack (Elasticsearch, Logstash, Kibana) enables efficient log processing and threat monitoring. Here’s how the components interact:

Elasticsearch – Stores and indexes Snort alerts for fast search retrieval.
Logstash – Parses and enriches raw Snort logs.
Kibana – Provides intuitive visual dashboards for analyzing security incidents.
Configuring Logstash

Logstash acts as the processing pipeline that receives Snort logs and prepares them for indexing in Elasticsearch.

Input Configuration: Listening for logs sent from Filebeat.

Logstash input configuration file showing a Beats input setup on port 5044 with a specific host IP address for network listening.

Filter Configuration: Parsing Snort alerts using Grok patterns to extract key fields.

Logstash filter configuration file with a grok pattern and mutate, date, and convert functions for data parsing and transformation.

Output Configuration: Sending formatted logs to Elasticsearch for indexing.

Logstash configuration for sending output to Elasticsearch with indexed alerts organized by date.

input {

  beats {

    port => 5044

filter {

  grok {

    match => { "message" => "%{DATA:timestamp} \[%{INT:gid}:%{INT:sid}:%{INT:rev}\] %{GREEDYDATA:alert}" }

output {

  elasticsearch {

    hosts => ["http://localhost:9200"]

    index => "snort-alerts-%{+YYYY.MM.dd}"

Filebeat Setup on Snort Server

To forward logs efficiently, Filebeat is configured on the Snort server to capture alerts and transmit them to Logstash.

Installed Filebeat and configured it to monitor Snort’s Fast Alert logs stored at:

/var/log/snort/snort.alert.fast

Filebeat was set to send logs to Logstash at port 5044, ensuring structured ingestion. (YAML Format)

filebeat.inputs:

- type: log

  paths:

    - /var/log/snort/snort.alert.fast

output.logstash:

  hosts: ["192.168.56.103:5044"]

Filebeat configuration displaying the setup for reading Snort alert logs from /var/log/snort/snort.alert.fast, with outputs directed to Logstash at 192.168.56.109:5044.

Verifying Integration

Once Snort logs are forwarded:

Logstash processes alerts and sends them to Elasticsearch.
Elasticsearch indexes threat data for query-based searches.
Kibana visualizes attack patterns in real-time dashboards.

Visualizing Logs in Kibana

Now that Snort alerts are successfully flowing into Elasticsearch, it’s time to visualize this data using Kibana. Kibana enables security teams to explore attack trends, analyze source/destination IPs, and monitor common threats with interactive dashboards.

Creating an Index Pattern in Kibana

To start analyzing Snort logs in Kibana:

Navigate to Kibana → Stack Management → Data Views.
Create a new Data View using the pattern:

snort-alerts-*

Kibana dashboard displaying Snort logs with detailed alert summaries, timestamps, and field statistics for security monitoring.

Save the configuration and move to the Discover section.

Detailed Kibana dashboard displaying SSH login attempt alerts with IP details and timestamps & visualizing data.

Analyzing Snort Alerts in Kibana

Once logs are indexed, users can search, filter, and explore attack alerts efficiently. Kibana allows analysis based on:

Timestamp – Tracking when attacks occurred.
Source/Destination IPs – Identifying attackers and targeted systems.
Network Protocols – Categorizing alerts (TCP, UDP, ICMP, etc.).
Alert Messages – Understanding detected attack patterns.

Dashboard showing network analysis: The bar chart highlights the most targeted ports, with port 22 being the most attacked. The pie chart illustrates protocol usage, with TCP dominating at 80%, followed by UDP at 15%, and ICMP at 5%.

Distribution of alert messages highlights "Multiple SSH Login Attempts Detected" as the most frequent issue, with other alerts like "DNS named version attempt" following behind.

Creating Dashboards for Real-Time Monitoring

Custom dashboards in Kibana help security teams visualize attack trends over time. Some meaningful insights include:

Alert Frequency Over Time – Detecting attack spikes and patterns.
Source IP Heatmap – Pinpointing frequent attackers.
Port Attack Trends – Identifying commonly targeted ports.
Intrusion Type Analysis – Categorizing attack vectors (port scans, brute force).

Dashboard visualization displaying network traffic analysis with charts on alert generation frequency, top source and destination IP addresses, and network protocol usage.

Network activity dashboard showcasing protocol usage, alert messages, and IP address data, with TCP as the predominant protocol at 76.19%.

This structured visualization enables rapid threat detection, proactive security defense, and better incident response strategies.

Challenges & Fixes

Every cybersecurity deployment comes with obstacles, and setting up Snort IDS with the ELK Stack was no exception. Below are some of the key challenges encountered during implementation and how they were resolved.

Problem	Fix
Elasticsearch and Logstash failed to start due to incompatible dependencies.	Ensured installation was done using a Java 8-compatible environment, resolving version conflicts.
Snort failed to detect port scanning attempts consistently.	Fine-tuned Snort preprocessor rules and adjusted IP variables in snort.conf to accurately track suspicious activity.
Elasticsearch failed to launch due to improper heap size configuration.	Reverted manual heap size changes and optimized Elasticsearch settings to ensure stability.
Large volumes of Snort logs caused slow log ingestion into ELK	Implemented Logstash pipelines, Grok parsing optimization, and index lifecycle policies to manage data efficiently.

By addressing these challenges, the Snort + ELK integration became a reliable, scalable intrusion detection solution capable of real-time threat analysis and visualization.

Final Thoughts & Takeaways

Successfully integrating Snort IDS with the ELK Stack demonstrates the power of proactive network security monitoring. This project showcases how intrusion detection systems can help analyze attack patterns, visualize threats, and strengthen cybersecurity defenses.

By simulating port scanning and brute-force attacks, we tested Snort’s effectiveness, ensuring alerts were processed, indexed, and displayed via Kibana dashboards. These visual insights empower security teams to make informed decisions and quickly respond to potential threats before they escalate.

Key Learnings from the Project

Snort IDS can effectively detect reconnaissance and brute-force attempts using predefined rules.
The ELK Stack enhances threat visibility by transforming raw alerts into structured, actionable data.
Combining Filebeat, Logstash, Elasticsearch, and Kibana enables efficient security event correlation and analysis.
Fine-tuning IDS rules and optimizing log parsing significantly improves detection accuracy while reducing false positives.

This setup serves as a valuable learning experience for cybersecurity professionals, demonstrating a hands-on approach to network defense through real-world simulations.

A Note of Appreciation for Mr. Rohil

We extend our sincere appreciation to Mr. Rohil for his dedication and hard work in configuring, testing, and fine-tuning Snort IDS with ELK. His hands-on approach, passion for cybersecurity, and problem-solving mindset were instrumental in making this project a success.

Rohil’s contributions reflect a strong commitment to cybersecurity research and practical implementation. His efforts in rule optimization, attack simulation, and threat visualization demonstrate exceptional skill and initiative.

We encourage him to continue exploring network security, VAPT, and advanced threat detection techniques — his future in cybersecurity looks promising!

Rohil can be reached via his Linkedin