I worked through the Snort Basics room on TryHackMe, which was a great introduction to using Snort as an intrusion detection tool. Instead of jumping straight into live attacks, this room focused on understanding how Snort works, how to run it in different modes, and how to read the output it produces. I learned how to start Snort in simple packet-sniffing mode to watch network traffic as it flows, and then in packet-logging mode to save that traffic for later analysis. From there, I began experimenting with writing my first Snort rules, which are the instructions that tell Snort what to look for—like specific IP addresses, ports, or keywords in network data.
By the end of the room, I had hands-on practice with creating and testing basic detection rules, and I gained a solid foundation in how Snort operates. It gave me the confidence to move beyond just recognizing what network traffic looks like, to actually defining what “bad” traffic might be and telling Snort how to catch it. This room set me up perfectly for the live attack scenarios that came next, where those basic skills got put into action.