$1.$ Download and Install

$[$All commands are highlighted in Red text$]$ Access the terminal of the kali Linux apt$-$get install snort when it asks for the address range, retrieve the IP address using ifconfig on a separate terminal window check the subnet mask if its $16$ bit or $24$ bit and based on that give the ipaddress in the range

Example: if ipaddress is $192\mathrm{.}168\mathrm{.}1\mathrm{.}100$ and Subnet mask is $255\mathrm{.}255\mathrm{.}255\mathrm{.}0[24$ bit$],$ then range in snort should be $192\mathrm{.}168\mathrm{.}0\mathrm{.}0/24$

Let the installation complete! At successful installation it will return to default prompt.

$2.$ Edit Snort Configuration File and Rules Creation

$2\mathrm{.}1.$ Create a blank rules file to place your custom rules in$,$ this is different than the default rules used by snort touch $/$etc$/$snort$/$rules$/$custom$.$rules

$2\mathrm{.}2.$ edit the Snort configuration file to add to snort the newly created custom.rules file vi $/$etc$/$snort$/$snort$.$conf

$2\mathrm{.}3.$ type $/$include $RULE$\_$PATH $($this command will take you the rule inclusion page in the vi editor$)$

scroll down using pgdown or arrow keys till you reach the end of the include $RULE$\_$PATH entries

press $$i$$ key on keyboard edit the file in the vi editor

$1$

after the last default entry in the include $RULE$\_$PATH type include

$RULE$\_$PATH$/$custom$.$rules press $$esc$$ key on keyboard and then $$wq$$ to save and quit the snort configuration file

$2\mathrm{.}4.$ Creating a location for log files and verify if the log file are getting populated mkdir log snort $$ l $./$log $$b $$c $/$etc$/$snort$/$snort$.$conf $($this will start snort and run the live traffic on the computer and network against the rules in the snort.conf$)$ ctrl$+$z cd log

ls

if the list command results with files such as $$alert$$ and $$snort$.$log$.<>$ then

your snort is running and generating logs as well successfully

rm$*($Removes the contents of the log files$)$

$2\mathrm{.}5.$ Creating custom rule to detect icmp attack or ping attack vi $/$etc$/$snort$/$rules$/$custom$.$rules press $$i$$ to enter into insert mode alert icmp any any $->$ any any $($msg: $$Possible ping attack$$; sid: $999995$;$)$ press $$esc$$ key and then $$wq$$ to save the custom.rules file

$3.$ Launching the attack

Launch the snort on the Kali Linux

snort $-$l $./$log $-$p $-$c $/$etc$/$snort$/$snort$.$conf

From any other machine in the network ping the Kali Linux machine with unlimited number of packets

Let the snort run for a minute for the capture to work and log file get populated

$4.$ Reviewing the log file with attacks captured

cd log

ls

leafpad alert

The alert file should be populated with the alert message $$Possible ping attack$$ as configured in the custom rule file.