

Snort IDS/IPS — Custom Rules & CVE Detection
Snort is the most widely deployed open-source Network Intrusion Detection and Prevention System (IDS/IPS). This lab, completed for CY5150 Network Security Practices at Northeastern University (Prof. Kevin Amorin), configured Snort in both passive detection mode (IDS) and inline prevention mode (IPS) using Linux NFQUEUE to intercept and drop malicious traffic in real time. Custom detection rules were written and validated against real CVE traffic patterns, PCAP files, and live attack simulations.
The lab covered the full IDS/IPS workflow: environment setup, interface configuration, rule authoring, alert tuning, PCAP-based forensic analysis, and reverse shell traffic identification — the same skill set used in a SOC analyst or network security engineer role.
Technologies & Tools
- - Snort 3 (IDS + IPS mode)
- - Linux NFQUEUE (inline packet interception)
- - Wireshark / tcpdump (PCAP analysis)
- - Custom Snort rule authoring
- - Python (traffic generation scripts)
- - CY5150 Network Security Practices — Northeastern University
- - Instructor: Prof. Kevin Amorin

Course
CY5150 Network Security Practices
Instructor
Prof. Kevin Amorin
CVEs detected
CVE-2021-26855, CVE-2022-1388, CVE-2018-7600
Modes
IDS (passive) + IPS (NFQUEUE inline)
Custom Rule Coverage
SQL injection detection: Rules targeting common SQLi payload patterns in HTTP request bodies and URI parameters — UNION-based, error-based, and boolean-blind injection signatures. Rules tuned to minimize false positives against legitimate query strings while catching encoded and obfuscated injection attempts.
CVE-2021-26855 (ProxyLogon — Microsoft Exchange Server): Server-Side Request Forgery vulnerability allowing unauthenticated RCE on Exchange. Detection rule targeting the characteristic X-AnonResource-Backend header and the /ecp/ path pattern present in ProxyLogon exploit HTTP requests. Validated against public PCAP captures from CVE-2021-26855 exploitation.
CVE-2022-1388 (F5 BIG-IP iControl REST RCE): Authentication bypass allowing unauthenticated command execution via the iControl REST API. Detection rule targeting the X-F5-Auth-Token bypass header combined with the /mgmt/tm/util/bash endpoint — the characteristic signature of weaponized CVE-2022-1388 exploitation attempts.
CVE-2018-7600 (Drupalgeddon 2 — Drupal RCE): Remote Code Execution via crafted form submissions exploiting Drupal's Form API. Detection rule targeting the #post_render and #lazy_builder payload patterns injected into Drupal form parameters, which are the fingerprint of automated Drupalgeddon 2 exploitation tools.
Reverse shell detection: Custom rules identifying reverse shell connection patterns — outbound connections on non-standard ports matching bash, netcat, and Python reverse shell command signatures in payload data. Also covered Meterpreter staging traffic signatures (HTTPS beaconing patterns, stage download URIs).

Analysis mode
Forensic PCAP + live traffic
Prevention
NFQUEUE inline drop
IPS Mode & PCAP Forensics
IPS / NFQUEUE: Configured Snort to operate inline using Linux NFQUEUE, which intercepts packets from the kernel's netfilter before forwarding. In this mode, Snort can issue a REJECT or DROP verdict on matched packets in real time — not just alert. Rules were validated in IPS mode to confirm that matched traffic was dropped without disrupting unrelated flows.
PCAP forensic analysis: Analyzed multiple PCAP captures containing embedded attack traffic — identifying attack sequences, reconstructing exploit chains from packet-level evidence, and correlating Snort alerts to specific packets. This workflow mirrors the evidence reconstruction step in incident response — taking a raw capture and attributing traffic to specific CVE exploitation patterns.
The combination of custom rule authoring and PCAP-based validation gives a ground-truth understanding of what IDS evasion looks like from the defender's side — the same knowledge that informs bypass techniques when operating offensively.
