website logo

Snort — Basic Lab

Simple Snort test run, external & loopback interfaces to simulate attacks for detection practice.

Snort lab overview (placeholder)

Basic Requirements

Steps

  1. Run external interface

    Run snort on external interface (placeholder)

    Open a terminal and start Snort (replace eth0 with your interface if different). 

    sudo snort -c /etc/snort/snort.lua -R /etc/snort/rules/local.rules -i eth0 -A alert_fast

    Keep this terminal open while Snort runs.

  2. Run loopback interface

    Run snort on loopback interface (placeholder)

    Open a new terminal and run Snort on the loopback interface to capture localhost traffic. 

    sudo snort -c /etc/snort/snort.lua -R /etc/snort/rules/local.rules -i lo -A alert_fast

    Keep this terminal open as well.

  3. Simulate attacks

    Simulate attacks (placeholder)

    Run some scans and floods against localhost to see Snort alerts.

    Nmap scans

    -- SYN Scan --
nmap -sS localhost

-- Null Scan --
nmap -sN localhost

-- Xmas Scan --
nmap -sX localhost

    ICMP flood (hping3)

    sudo hping3 -1 -c 1000 -d 120 -S -w 64 --flood --rand-source localhost

    Watch your Snort terminal(s) for alerts. Use the Snort logs and alert outputs to analyze detection behavior.

    Example testing :

    Nmap test (scan)
    Example nmap output (placeholder)
    hping test (ICMP flood)
    Example hping output (placeholder)
← Back to Projects