Quantitative Evaluation of Snort IDS Rule Effectiveness against DDOS, Brute-Force, and MITM Attacks in a Controlled Lab Network

Abstract

Intrusion detection systems play a critical role in protecting network infrastructures from increasingly sophisticated cyber threats. This study quantitatively evaluated the effectiveness of Snort intrusion detection system rules in detecting three common categories of cyberattacks, namely distributed denial-of-service attacks, brute-force authentication attempts, and man-in-the-middle interception attacks within a controlled laboratory network environment. A quantitative experimental design was implemented in which simulated attack scenarios were executed across multiple experimental runs while network traffic was monitored using Snort IDS. The dataset consisted of packet capture logs, IDS alert records, and rule activation events generated during 30 experimental attack sessions and 10 baseline monitoring sessions. Across all sessions, a total of approximately 1,245,600 network packets were captured and analyzed, producing 360 confirmed attack events used to evaluate IDS detection performance. Detection effectiveness was measured using several quantitative indicators including detection rate, alert frequency, rule trigger counts, false positive events, and false negative occurrences. The results indicated that detection performance differed significantly across the three attack categories. Distributed denial-of-service attacks achieved the highest detection rate at 94.2%, with 113 out of 120 attack events successfully identified by the IDS. Brute-force authentication attacks produced a detection rate of 88.3%, with 106 detected events out of 120 attempts. In contrast, man-in-the-middle attack simulations produced a lower detection rate of 76.7%, with 92 detected events and 28 undetected attack instances. The IDS generated a total of 1,128 alerts and 1,542 rule activation events during monitoring, with DDoS scenarios producing the highest alert frequency due to the high-volume traffic patterns associated with flooding attacks. Statistical analysis confirmed that the differences in detection performance across attack categories were statistically significant. Effect size analysis further demonstrated a large practical difference between DDoS and MITM detection performance. The findings indicated that rule-based intrusion detection systems were highly effective in identifying volumetric and repetitive attack patterns but showed comparatively lower performance in detecting subtle packet interception behaviors. These results contribute empirical evidence regarding the operational strengths and limitations of rule-based intrusion detection systems in controlled network security environments.