# 🛡️ Snort Web 攻击检测实验
**Ubuntu Server 24.04 LTS • Apache2 • Snort IDS • Kali Linux • Oracle VirtualBox**






## 📌 项目亮点
✔ 在 Ubuntu Server 上从零构建了一个完整的 **Snort IDS 实验室**。
✔ 开发并验证了 **9 条自定义 Snort 检测签名**。
✔ 成功实时检测到**网络侦察**和**Web 应用攻击**。
✔ 使用 **Kali Linux** 对自定义 Apache2 Web 应用模拟了攻击。
✔ 应用迭代式的**检测工程(Detection Engineering)工作流**,包括规则开发、测试、调优、验证和分析。
✔ 制作了全面的技术文档,包括项目日志、故障排除指南和最终项目报告。
## 项目横幅
# 项目概述
现代组织依靠入侵检测系统 (IDS) 在恶意网络活动升级为安全事件之前将其识别。在应用最广泛的开源 IDS 解决方案中,**Snort** 提供了基于签名的检测,能够通过自定义检测规则识别侦察技术、协议异常和 Web 应用攻击。
本项目演示了在一个隔离的 VirtualBox 环境中,使用 **Ubuntu Server**、**Apache2 Web 服务器**和 **Kali Linux** 设计、实施和验证实用的**基于 Snort 的检测工程实验室**的过程。
与仅关注软件安装的项目不同,本实验室强调入侵检测的完整工程生命周期:
- 设计实验室环境
- 部署和配置 Snort IDS
- 开发自定义检测签名
- 模拟真实世界的攻击
- 监控网络流量
- 验证检测准确性
- 通过迭代测试细化签名
- 记录实施、故障排除和经验教训
在整个项目中,使用自定义 Snort 规则成功模拟并检测了多种网络侦察技术和常见的 Web 应用攻击。每一条检测签名都针对从 Kali Linux 生成的实时流量进行了测试,从而能够根据实际的网络观察来分析和改进规则行为。
本仓库的主要目的是通过一个可重现的网络安全实验室,展示在**检测工程**、**Linux 管理**、**网络安全**和**技术文档编写**方面的实用技能,而不是理论上的实现。
# 实验室架构
该实验室旨在模拟一个真实且隔离的网络安全环境,用于开发和验证 Snort IDS 检测规则。
该环境由托管在 Oracle VirtualBox 上的两台虚拟机组成:
- **Ubuntu Server 24.04 LTS** 作为受保护的目标系统。
- **Kali Linux** 作为攻击机。
使用**仅主机网络 (Host-Only Network)** 允许虚拟机之间进行安全通信,同时防止攻击流量离开实验室环境。此外还配置了 NAT 适配器,以提供受控的 Internet 连接,用于软件安装和系统更新。
Ubuntu Server 托管三个主要服务:
- Apache2 Web 服务器
- OpenSSH 服务器
- Snort 入侵检测系统 (IDS)
在测试期间,从 Kali Linux 生成的攻击流量通过仅主机网络传输到 Apache Web 服务器。Snort 持续检查网络数据包,将它们与自定义检测签名进行比较,并在识别出恶意模式时生成实时警报。
## 实验室架构
```
Windows Host
│
Oracle VirtualBox
│
┌────────────────┴────────────────┐
│ │
│ Host-Only Network │
│ (192.168.56.0/24) │
│ │
┌──────────────────┐ ┌─────────────────────────┐
│ Kali Linux │ │ Ubuntu Server │
│------------------│ │-------------------------│
│ • Nmap │ │ • Apache2 Web Server │
│ • Browser │──────────▶ │ • Snort IDS │
│ • Attack Payload │ HTTP │ • OpenSSH Server │
│ • ICMP │──────────▶ │ │
└──────────────────┘ └─────────────┬───────────┘
│
▼
Custom Detection Rules
│
▼
Real-Time Security Alerts
```
```
---
## 实验组件
| Component | Purpose |
|-----------|----------|
| Windows Host | Hosts the virtual laboratory |
| Oracle VirtualBox | Virtualization platform |
| Ubuntu Server 24.04 LTS | Protected target system |
| Apache2 Web Server | Hosts the intentionally simple demonstration web application |
| Snort IDS | Monitors and analyzes network traffic |
| OpenSSH Server | Enables secure remote administration |
| Kali Linux | Simulates attacker activities |
| Host-Only Network | Isolated attack communication |
| NAT Adapter | Internet connectivity for updates |
---
> **Engineering Note**
> The laboratory architecture was intentionally designed to separate Internet connectivity from attack traffic. This approach provides a controlled environment for safely developing and validating custom intrusion detection signatures without exposing production systems or external networks.
# 核心技术
The laboratory combines open-source operating systems, security tools, and networking technologies to simulate a practical intrusion detection environment.
| Category | Technology | Purpose |
|----------|------------|---------|
| Operating System | Ubuntu Server 24.04 LTS | Protected target environment |
| Operating System | Kali Linux | Attack simulation platform |
| Web Server | Apache2 | Hosts the demonstration web application |
| Intrusion Detection | Snort IDS | Signature-based network intrusion detection |
| Remote Administration | OpenSSH Server | Secure remote management |
| Virtualization | Oracle VirtualBox | Virtual laboratory platform |
| Network Scanner | Nmap | Reconnaissance and port scanning |
| Networking | NAT + Host-Only | Internet access and isolated laboratory communication |
---
# 项目能力
This project demonstrates the complete workflow of designing, deploying, testing, and validating a signature-based intrusion detection laboratory.
## Detection Engineering
- Development of custom Snort detection signatures
- Signature validation through live traffic analysis
- Rule tuning based on observed network behavior
- Real-time alert generation
---
## Web 应用安全测试
- Cross-Site Scripting (XSS)
- SQL Injection
- HTML Injection
- Directory Traversal
---
## 网络侦察检测
- ICMP Ping Detection
- TCP SYN Scan Detection
- Port Scan Observation using Nmap
---
## Linux 与网络管理
- Ubuntu Server deployment
- Apache2 configuration
- OpenSSH remote administration
- Network interface configuration
- Host-Only network implementation
---
## 文档与工程实践
- Project Journal
- Troubleshooting Guide
- Final Project Report
- Custom Rule Documentation
- Structured testing methodology
---
> **Engineering Perspective**
> Rather than focusing solely on attack execution, this project emphasizes understanding how network traffic is inspected, how detection signatures are developed, and how iterative testing improves detection accuracy. This mirrors the practical workflow commonly followed by Detection Engineers and SOC Analysts when deploying and maintaining intrusion detection systems.
# 检测能力
A primary objective of this laboratory was to design, implement, and validate custom Snort detection signatures capable of identifying common reconnaissance techniques and web application attacks.
Each rule was developed incrementally, tested using live attack traffic generated from Kali Linux, and refined through iterative traffic analysis until reliable detection was achieved.
The completed rule library consists of **nine custom Snort signatures**, covering multiple attack categories.
---
## 自定义检测规则库
| SID | Detection Rule | Category | Status |
|-----:|----------------|----------|:------:|
|1000001|ICMP Ping Detection|Network Reconnaissance|✅|
|1000002|TCP SYN Scan Detection|Port Scanning|✅|
|1000003|Cross-Site Scripting (XSS)|Web Application Security|✅|
|1000004|HTTP Username Parameter Detection|HTTP Traffic Analysis|✅|
|1000005|SQL Injection (OR 1=1)|Web Application Security|✅|
|1000006|SQL Injection (UNION SELECT)|Web Application Security|✅|
|1000007|SQL Injection Authentication Bypass|Web Application Security|✅|
|1000008|HTML Injection Detection|Web Application Security|✅|
|1000009|Directory Traversal Detection|Web Application Security|✅|
---
## 成功检测的攻击类别
### 网络侦察
- ICMP Echo (Ping)
- TCP SYN Scan
- Nmap Port Scanning Activity
---
### Web 应用攻击
- Cross-Site Scripting (XSS)
- SQL Injection
- SQL Authentication Bypass
- SQL UNION Injection
- HTML Injection
- Directory Traversal
---
## Detection Engineering 工作流
Every detection signature included in this repository followed the same engineering methodology.
```text
Understand Attack
│
▼
Observe Network Traffic
│
▼
Inspect HTTP Payload
│
▼
Develop Detection Rule
│
▼
Validate Configuration
│
▼
Execute Live Attack
│
▼
Analyze Snort Alert
│
▼
Refine Signature
│
▼
Retest Until Successful
```
## 检测总结
| 检测领域 | 覆盖范围 |
|----------------|---------|
| 网络侦察 | ✅ |
| 端口扫描 | ✅ |
| Web 应用安全 | ✅ |
| HTTP 流量检查 | ✅ |
| 签名开发 | ✅ |
| 实时攻击验证 | ✅ |
# ⚔️ 攻击模拟与验证
为了验证自定义 Snort 检测签名的有效性,从 Kali Linux 虚拟机针对托管在 Ubuntu Server 上的 Apache2 Web 应用执行了多个攻击场景。
每次攻击都在隔离的仅主机网络中生成实时网络流量,使 Snort IDS 能够检查数据包、评估自定义签名并生成实时安全警报。
本仓库中演示的每一次检测都是通过实际测试验证的,而不是理论上的规则创建。
## 验证方法论
对包含在本项目中的每一个攻击场景,都重复了以下工作流。
```
Create Detection Rule
│
▼
Validate Snort Configuration
│
▼
Launch Snort Monitoring
│
▼
Execute Attack from Kali Linux
│
▼
Inspect Generated Traffic
│
▼
Observe Snort Alert
│
▼
Refine Detection Rule (if required)
│
▼
Retest Until Successful
```
# 攻击验证矩阵
| 攻击类型 | 执行的 Payload | 检测状态 | 证据 |
|-------------|------------------|:----------------:|----------|
| ICMP Ping | ICMP Echo Request | ✅ | 截图 |
| TCP SYN Scan | Nmap SYN Scan | ✅ | 截图 |
| 跨站脚本攻击 (XSS) | `` | ✅ | 截图 |
| SQL 注入 | `' OR 1=1 --` | ✅ | 截图 |
| SQL 注入 | `UNION SELECT` | ✅ | 截图 |
| SQL 身份验证绕过 | `' OR 'a'='a` | ✅ | 截图 |
| HTML 注入 | `
Injected Content
` | ✅ | 截图 |
| 目录遍历 | `../../etc/passwd` | ✅ | 截图 |
# 验证证据
## Apache2 Web 应用

## Apache2 服务状态

## Snort IDS 服务状态

## OpenSSH 服务状态

## Snort 配置

## Snort 配置验证

## Snort 成功运行

## 自定义 Snort 规则库

## 规则验证

## 跨站脚本攻击 (XSS)

## SQL 注入

## SQL 身份验证绕过

## HTML 注入

## 目录遍历

---> **验证总结**
# 📂 仓库结构
本仓库经过组织,将文档、自定义检测规则和验证证据清晰地区分开来。每个目录都有特定的用途,使项目更容易理解、重现和维护。
```
snort-web-attack-detection-lab/
│
├── README.md
├── LICENSE
├── Technical_Project_Report.pdf
├── PROJECT_JOURNAL.md
├── TROUBLESHOOTING.md
│
├── docs/
│ ├── banner_v1.png
│ ├── architecture_diagram_v1.png
│ └── screenshots/
│ ├── figure_4_3_apache2_status.png
│ ├── figure_4_4_snort_ids_status.png
│ ├── figure_4_5_openssh_status.png
│ ├── figure_7_1_snort_configuration_file.png
│ ├── figure_7_2_snort_configuration_validation.png
│ ├── figure_7_3_snort_running_successfully.png
│ ├── figure_8_1_custom_snort_rule_library.png
│ ├── figure_8_2_rule_validation.png
│ ├── figure_9_1_demonstration_web_application.png
│ ├── figure_9_2_xss_detection.png
│ ├── figure_9_3_sql_injection_detection.png
│ ├── figure_9_4_sql_authentication_bypass_detection.png
│ ├── figure_9_5_html_injection_detection.png
│ └── figure_9_6_directory_traversal_detection.png
│
└── rules/
└── Custom_Snort_Rule_Library.pdf
## 📁 仓库内容
| Directory / File | Description |
|------------------|-------------|
| README.md | Project overview and documentation homepage |
| LICENSE | MIT Open Source License |
| PROJECT_JOURNAL.md | Chronological development journal documenting implementation progress |
| TROUBLESHOOTING.md | Common issues encountered during development and their resolutions |
| Final_Project_Report.pdf | Comprehensive technical report describing the complete project lifecycle |
| rules/local.rules | Custom Snort detection signatures developed during the project |
| screenshots/ | Validation evidence, configuration screenshots, attack demonstrations, and generated alerts |
---
## 文档理念
This repository follows a layered documentation approach to improve readability and long-term maintainability.
| Document | Purpose |
|-----------|---------|
| README.md | Introduces the project and explains its purpose |
| PROJECT_JOURNAL.md | Records the engineering journey from initial setup to project completion |
| TROUBLESHOOTING.md | Documents technical challenges, root causes, and implemented solutions |
| Final_Project_Report.pdf | Provides comprehensive technical documentation suitable for formal review |
---
> **Engineering Note**
> Rather than storing project files without context, this repository emphasizes structured documentation. Each document has a clearly defined purpose, allowing readers to understand not only the final implementation but also the engineering decisions, troubleshooting process, and validation methodology followed throughout the project.
# 📚 项目文档
A key objective of this repository is to document the complete engineering lifecycle of the project rather than presenting only the final implementation.
Every major phase—including planning, deployment, troubleshooting, testing, validation, and reporting—has been documented to provide transparency into the development process.
The documentation has been organized into the following components.
| Document | Purpose |
|-----------|---------|
| README.md | Repository overview, architecture, capabilities, and implementation summary |
| PROJECT_JOURNAL.md | Chronological record of project development, milestones, and implementation progress |
| TROUBLESHOOTING.md | Root causes, investigation process, implemented solutions, and verification results |
| Final_Project_Report.pdf | Comprehensive technical report describing the laboratory, implementation methodology, attack simulations, generated alerts, and project outcomes |
---
# 🎓 展示的技能
This project provided practical experience across multiple cybersecurity disciplines.
## Detection Engineering
- Custom Snort signature development
- Signature validation and tuning
- Live traffic analysis
- Signature refinement through iterative testing
---
## 网络安全
- Intrusion Detection Systems (IDS)
- Network reconnaissance detection
- HTTP traffic inspection
- Signature-based attack detection
---
## Linux 管理
- Ubuntu Server deployment
- Apache2 configuration
- OpenSSH administration
- Network interface management
- Linux service management (Apache2, SSH, and Snort)
---
## Web 应用安全
- Cross-Site Scripting (XSS)
- SQL Injection
- HTML Injection
- Directory Traversal
- HTTP request analysis
---
## 技术文档
- Engineering documentation
- Project journaling
- Technical troubleshooting
- Validation reporting
- Security documentation
---
## 专业实践
- Structured project planning
- Evidence-based validation
- Iterative problem solving
- Root cause analysis
- Version-controlled documentation
---
> **Professional Perspective**
> This project demonstrates more than the deployment of an Intrusion Detection System. It showcases the ability to design a practical cybersecurity laboratory, develop custom detection logic, validate security controls through structured testing, troubleshoot complex implementation challenges, and communicate technical findings through professional documentation.
# 🧠 经验教训
Building this laboratory provided practical experience that extended well beyond installing and configuring security tools. The project reinforced the importance of approaching cybersecurity as an engineering discipline built on observation, validation, documentation, and continuous improvement.
Throughout development, several key lessons emerged:
- Network traffic should always be analyzed before writing detection signatures.
- URL encoding can significantly affect HTTP-based detection rules and must be considered during rule development.
- Custom Snort signatures often require multiple testing and refinement cycles before achieving reliable detection.
- Thorough troubleshooting documentation greatly simplifies future maintenance and problem resolution.
- Collecting evidence throughout development is just as important as implementing technical functionality.
- Structured project documentation improves reproducibility and makes complex engineering work easier to understand.
Perhaps the most valuable lesson from this project was recognizing that successful detection engineering is an iterative process. Effective signatures are rarely created on the first attempt; they evolve through observation, testing, analysis, and refinement.
---
# 未来增强
Although this laboratory successfully demonstrates signature-based intrusion detection, several enhancements are planned for future iterations.
## 🔭 项目路线图
| Version | Status | Description |
|----------|:------:|-------------|
| Version 1.0 | ✅ Completed | Signature-based detection laboratory |
| Version 1.1 | 🔄 Planned | Expanded custom detection signatures |
| Version 1.2 | 🔄 Planned | SIEM integration and alert analysis |
| Version 2.0 | 🔄 Planned | AI-assisted detection enhancements |
---
> **Engineering Reflection**
> This project represents the beginning of a broader learning journey in Detection Engineering. The experience gained from designing the laboratory, developing custom signatures, validating attack scenarios, and documenting the complete implementation provides a strong foundation for future work in security monitoring, threat detection, and AI-driven security automation.
# 🤝 贡献
Thank you for your interest in this project.
At this stage, the repository is maintained as a personal cybersecurity learning and portfolio project. While active external contributions are not currently planned, constructive feedback, suggestions, and discussions are always welcome.
If you identify an issue, have a recommendation, or would like to discuss Detection Engineering, Intrusion Detection Systems, or cybersecurity in general, feel free to open an Issue within this repository.
---
# ⚖️ 许可证
This project is released under the **MIT License**.
Please refer to the LICENSE file for the complete license terms and conditions.
provided that the original license and copyright notice are retained.
See the **LICENSE** file for complete details.
---
# 🙏 致谢
This project was made possible through the availability of excellent open-source technologies and educational resources.
Special thanks to the communities behind:
- Ubuntu Server
- Snort IDS
- Apache HTTP Server
- Kali Linux
- Oracle VirtualBox
- Nmap
- The open-source cybersecurity community
Their tools and documentation continue to support practical cybersecurity learning worldwide.
---
# 👨💻 作者
**Mahesh K**
Cybersecurity Researcher | Building AI for Detection Engineering, Digital Forensics, and Security Automation
---
## 📌 仓库状态
| Item | Status |
|------|:------:|
| Documentation | ✅ Complete |
| Laboratory Implementation | ✅ Complete |
| Attack Validation | ✅ Complete |
| Custom Rule Development | ✅ Complete |
| Technical Report | ✅ Complete |
| Repository Maintenance | ✅ Active |
---
# ⭐ 最终想法
This repository represents more than the implementation of a Snort Intrusion Detection System.
It documents an end-to-end engineering journey involving laboratory design, Linux administration, detection rule development, attack simulation, validation, troubleshooting, and technical documentation.
Every detection rule, configuration change, and troubleshooting step contributed to a deeper understanding of signature-based intrusion detection and reinforced the importance of structured engineering practices within cybersecurity.
Although this project marks the completion of Version 1.0, it also serves as the foundation for future work in Detection Engineering, Security Operations, and AI-driven cybersecurity research.
---
### 🛡️ *"通过工程化、持续学习和真实世界验证,构建实用的网络安全解决方案。"*
**Thank you for visiting this repository.**
If you found this project useful, consider giving it a ⭐.
```