To build a functional home lab environment for hands-on cybersecurity practice by installing and configuring Snort on an Ubuntu machine, creating and managing custom and community Snort rules, simulating various network attacks using Kali Linux, and observing Snort's alerting capabilities. The lab also includes using Wireshark for detailed traffic analysis, leveraging Metasploit to exploit a vulnerable Windows 7 machine, and forwarding Snort logs to Splunk via Splunk Forwarder to visualize and monitor alerts through a custom dashboard.
🔗 Read the full blog post here:
Building a Home Lab for Intrusion Detection with Snort
- Advanced understanding of SIEM concepts and practical application.
- Gained hands-on experience installing, configuring, and operating Snort to detect malicious network activity.
- Developed the ability to simulate real-world cyberattacks using Kali Linux to test and validate IDS effectiveness.
- Enhanced knowledge of network protocols and security vulnerabilities.
- Gained proficiency in using Wireshark to inspect and understand detailed network traffic and protocols.
- Acquired foundational penetration testing skills by using Metasploit to exploit a vulnerable Windows 7 machine.
- Learned how to forward logs to Splunk using Splunk Forwarder and create dashboards for real-time monitoring and visualization.
- Development of critical thinking and problem-solving skills in cybersecurity.
- Open-source Network Intrusion Detection System (NIDS) used to monitor and analyze network traffic for signs of malicious activity.
- Network protocol analyzer used to capture and inspect packet-level data for deeper traffic analysis.
- Penetration testing tool used to exploit known vulnerabilities (e.g., in a Windows 7 VM) and simulate real-world attacks.
- Security Information and Event Management (SIEM) tool used to collect, forward, and visualize Snort logs through custom dashboards.
- Virtualization platforms used to create and manage the virtual machines in the home lab.
- Install Ubuntu, Kali Linux, and Windows 7 as VMs using a hypervisor like VMware.
- Configure all VMs to use the same Host-Only network (or NAT with manual IP assignment).
- Install Wireshark on Ubuntu to capture and analyze traffic.
- On the Ubuntu VM, install Snort:
sudo apt update
sudo apt install snort
- During installation, set the local network value to your local subnet (e.g. 192.168.189.0/16).
- Backup the default config and edit snort.conf to reflect your subnet:
cp /etc/snort/snort.conf /home/username/Documents/
- Replace
ipvar HOME_NET any
- With
ipvar HOME_NET 192.168.189.0/16
- Add custom Snort rules to /etc/snort/rules/local.rules, including rules for FTP, SSH, ICMP, and EternalBlue.
- Test the Snort configuration:
sudo snort -T -c /etc/snort/snort.conf
- Run Snort in alert mode:
sudo snort -A console -q -c /etc/snort/snort.conf -i <interface>
- From Kali Linux, simulate attacks:
- Ping the Ubuntu VM.
- SSH, FTP into the Ubuntu VM.
- Launch EternalBlue via Metasploit:
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <Win7_IP>
exploit
- Monitor alerts on the Ubuntu Snort console.
- Analyze Network Traffic with Wireshark
sudo wireshark -r /var/log/snort/snort.log.1733459848
- Download and install Splunk Enterprise on Ubuntu from splunk.com.
- Start Splunk:
sudo /opt/splunk/bin/splunk start
- Access the web interface at http://localhost:8000.
- From the Apps page, install Snort Alert for Splunk.
- Download the Splunk Universal Forwarder on Ubuntu.
- Install it and start the forwarder:
sudo dpkg -i splunkforwarder.deb
sudo /opt/splunkforwarder/bin/splunk start --accept-license
- Add the Splunk server as a forward target:
sudo ./splunk add forward-server <Splunk_IP>:9997
- Monitor Snort alert logs:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/snort/alert
- Set sourcetype and index in inputs.conf (optional for tuning).
- Open Splunk web interface.
- Go to Snort Alert for Splunk or use Search & Reporting.
