What is Snort?

Snort is an **open-source Intrusion Detection and Prevention System (IDS/IPS)** that monitors network traffic and detects suspicious activities. It uses **signature-based** and **anomaly-based** detection to identify threats.

What I will do in this lab?

1. **Real-time packet analysis**: Detects attacks like brute-force, port scanning, and malware.
2. **Custom rule creation**: Define security rules to detect specific threats.
3. **Splunk integration**: Logs from Snort can be sent to Splunk for analysis and visualization.

Install Snort

sudo apt update
sudo apt install snort -y

Add rule/s

/etc/snort/rules/local.rules

# Trigger alert 3 failed attempts in 60 sec
alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; flags:S; threshold:type threshold, track by_src, count 3, seconds 60; sid:1000000; rev:1;)

Ensure path of rules and log file in snort.conf