Network Monitoring with Snort: Detect DDoS, Brute-Force, Web Attacks & Botnets

Introduction to Network Monitoring and Intrusion Detection

Network monitoring is a critical skill for cybersecurity professionals. In this tutorial, we explore practical techniques to distinguish legitimate from malicious network traffic, inspired by the CS6262 Project 4 assignment. You'll learn how to analyze pcap files using Wireshark and create Snort rules to detect attacks like DDoS, brute-force, web exploits, and botnet communication. By the end, you'll have hands-on experience with intrusion detection systems (IDS) and network forensics.

In today's interconnected world, network security is more important than ever. With the rise of AI-powered attacks and sophisticated malware, understanding traffic patterns is key. Think of network monitoring like a referee in a sports match—spotting fouls (malicious traffic) while letting the game (normal traffic) flow. Just as a referee uses rules to penalize illegal moves, Snort uses rules to alert on suspicious packets.

Understanding the Assignment Context

The CS6262 Project 4 focuses on analyzing a pcap file (evaluation.pcap) containing mixed legitimate and malicious traffic from multiple hosts. The network topology is a standard LAN on AWS, with IPs in the 172.31.0.0/16 subnet. Your task is to identify four attack types: DDoS, brute-force (FTP or SSH), web attacks (SQL injection, XSS, or directory traversal), and botnet traffic. You'll then write Snort rules to automatically detect these attacks.

This project mirrors real-world challenges faced by network operators. For example, during the 2025 Super Bowl, security teams monitored for DDoS attacks targeting streaming services. Similarly, you'll learn to spot slow-rate DDoS that keeps connections open with periodic HTTP requests, exhausting server sockets.

Setting Up Your Environment

Before diving into analysis, ensure you have the right tools. The assignment provides a virtual machine (VM) with Snort 3 installed. You can download the OVA from the provided links. If the VM is slow, you can analyze the pcap locally with Wireshark and use the VM only for Snort. Increase RAM allocation to handle the large pcap file.

To set up Snort, follow the VM instructions. Test with sample pcaps provided for each attack type. Remember, these samples are illustrative and not identical to the evaluation pcap.

Analyzing Traffic with Wireshark

Start by opening evaluation.pcap in Wireshark. Use display filters to isolate traffic. For example, filter by http.request to see HTTP requests. Look for patterns: repeated connection attempts to the same IP on port 22 (SSH) or 21 (FTP) indicate brute-force. A large number of TCP SYN packets to a single destination suggests DDoS. Unusual HTTP methods like UNLINK or PROPFIND may signal web attacks. Botnet traffic often involves periodic beaconing to a C2 server.

Use Wireshark's statistical tools: Statistics > Protocol Hierarchy to see traffic distribution, and Statistics > Conversations to find top talkers. For brute-force, look for many connections with different source ports to the same destination port. A tip: use a 1-second time window to detect high-frequency attempts.

Writing Snort Rules for Attack Detection

Snort rules follow a simple syntax: action protocol src_ip src_port -> dest_ip dest_port (msg:"alert message"; content:"pattern"; sid:1000001;). You'll need 4-8 rules covering each attack category. Let's break down each type.

Detecting DDoS Attacks

DDoS in this assignment involves slow-rate HTTP attacks that keep connections open. To detect, look for multiple connections from the same source IP to the same destination IP on port 80 or 443 within a short time. Example rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Possible DDoS - multiple connections"; flow:to_server; detection_filter:track by_dst, count 100, seconds 1; sid:1000001;)

This rule triggers if more than 100 connections are made to the same destination in 1 second. Adjust thresholds based on your pcap analysis.

Detecting Brute-Force Attacks (SSH/FTP)

Brute-force attacks involve rapid login attempts. For SSH, look for many connections to port 22 with failed authentication. Snort can detect repeated login attempts by counting packets with SSH protocol headers. Example rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute-force attempt"; flow:to_server; content:"SSH-"; detection_filter:track by_src, count 50, seconds 10; sid:1000002;)

For FTP, monitor port 21 and look for USER and PASS commands. Use content matching to identify repeated attempts.

Detecting Web Attacks

Web attacks exploit vulnerabilities in web applications. Common patterns: SQL injection (UNION SELECT), XSS (<script>), or directory traversal (../). Use http_uri or http_method in rules. Example:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SQL Injection attempt"; flow:to_server; content:"UNION SELECT"; http_uri; sid:1000003;)

Check the assignment tips: use http_method and content with patterns like xxxxx (replace with actual patterns from your analysis).

Detecting Botnet Traffic

Botnets communicate with C2 servers using custom protocols. Look for periodic connections to external IPs on uncommon ports. Use flow and content to match known botnet signatures. Example rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"Botnet traffic to C2"; flow:to_server; content:"|00 01 02|"; sid:1000004;)

Research common botnet patterns or use the sample pcaps to identify unique strings.

Validating Your Rules

After writing rules, run Snort against the evaluation pcap: sudo snort -c /etc/snort/snort.conf -r evaluation.pcap -A alert_json. This generates an alert JSON file. Then use the provided Python script to count unique connections per attack type:

python3 cal_unique_connection_2022.py alert_json.txt

Expected output (from assignment): WebAttack 134, Bruteforce 6975, DDoS 625, Botnet 47621. Your numbers may vary slightly. Ensure your rules produce alerts for each category.

Note: A connection is defined by src_ip:src_port:dest_ip:dest_port. Use this when analyzing results.

Tips for Success

Research attack patterns: Understand how each attack appears in traffic. For example, brute-force shows repeated TCP handshakes with small payloads.
Use time-based detection: For DDoS and brute-force, use detection_filter with a 1-second window.
Test incrementally: Start with one rule, run Snort, check alerts, then add more.
Ignore ICMP and IP: Focus on TCP and UDP traffic.
Leverage sample pcaps: They guide you on patterns but are not identical to the evaluation pcap.

Real-World Connection: Network Monitoring in 2026

Network monitoring is vital in today's threat landscape. In 2026, with the proliferation of AI-generated attacks, tools like Snort remain essential. For example, during the FIFA World Cup 2026 qualifiers, security teams monitor for DDoS targeting live streams. Similarly, botnet detection helps prevent infected IoT devices from launching attacks. By mastering Snort, you gain skills applicable to roles like SOC analyst or network engineer.

Think of Snort rules as a playbook in sports—each rule is a defensive play designed to stop specific offensive moves. Just as a coach adjusts strategies based on the opponent, you tweak rules based on traffic analysis.

Conclusion

This tutorial covered the core steps for CS6262 Project 4: analyzing pcap files with Wireshark, writing Snort rules for DDoS, brute-force, web attacks, and botnet detection, and validating results. Remember to test your rules thoroughly and use the provided scripts. Network monitoring is a hands-on skill; practice with different pcaps to build intuition. Good luck!