Project
HomeLab Advanced
Network Security Monitoring with Suricata
Jason J. Boderebe
12 min tutorial
#homelab
#ids
#network-security
#monitoring
Network Security Monitoring with Suricata
Building upon your existing home lab infrastructure, this guide will walk you through deploying Suricata, a powerful Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) for comprehensive network security monitoring.
Prerequisites
Before starting this tutorial, ensure you have completed:
- Building a Cybersecurity Home Lab - Basic lab setup
- Deploying Vulnerable Applications - Target systems for monitoring
What is Suricata?
Suricata is an open-source network analysis and threat detection engine capable of:
- Real-time intrusion detection (IDS)
- Inline intrusion prevention (IPS)
- Network security monitoring (NSM)
- Offline pcap processing
Key Features
- Multi-threading architecture for high performance
- Protocol identification and parsing
- File extraction and analysis
- TLS/SSL certificate logging
- HTTP transaction logging
- DNS query logging
- Custom rule creation and management
Lab Architecture
Network Topology
[Internet] → [pfSense Router] → [Suricata Sensor] → [Internal Network]
↓
[SIEM/Log Server]
↓
[Analyst Workstation]System Requirements
- Suricata Sensor: 4GB RAM, 2 vCPUs, 100GB storage
- Log Server: 8GB RAM, 4 vCPUs, 500GB storage
- Network Interface: Promiscuous mode capability
- Operating System: Ubuntu 22.04 LTS or CentOS Stream 9
Installation and Configuration
Step 1: Suricata Installation
Ubuntu/Debian Installation
# Update system packages
sudo apt update && sudo apt upgrade -y
# Install Suricata from OISF repository
sudo apt install software-properties-common -y
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata -y
# Verify installation
suricata --versionCentOS/RHEL Installation
# Enable EPEL repository
sudo dnf install epel-release -y
# Install Suricata
sudo dnf install suricata -y
# Enable and start service
sudo systemctl enable suricata
sudo systemctl start suricataStep 2: Network Interface Configuration
Identify Network Interfaces
# List available interfaces
ip link show
# Check interface capabilities
sudo ethtool -k eth0 | grep receive-offloadConfigure Interface for Monitoring
# Disable hardware offloading (critical for IDS)
sudo ethtool -K eth0 rx off tx off
sudo ethtool -K eth0 sg off tso off ufo off gso off gro off lro off
# Make changes persistent
echo 'ethtool -K eth0 rx off tx off sg off tso off ufo off gso off gro off lro off' | sudo tee -a /etc/rc.local
sudo chmod +x /etc/rc.localStep 3: Suricata Configuration
Main Configuration File
# /etc/suricata/suricata.yaml
# Network interfaces
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
# Home networks (customize for your lab)
vars:
address-groups:
HOME_NET: "[192.168.1.0/24,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
# Logging configuration
logging:
default-log-level: notice
outputs:
- console:
enabled: yes
- file:
enabled: yes
level: info
filename: /var/log/suricata/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
# Output plugins
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert:
payload: yes
payload-buffer-size: 4kb
payload-printable: yes
packet: yes
metadata: no
http-body: yes
http-body-printable: yes
tagged-packets: yes
- http:
extended: yes
- dns:
query: yes
answer: yes
- tls:
extended: yes
- files:
force-magic: no
- smtp:
- ssh
- stats:
totals: yes
threads: no
deltas: no
- flowStep 4: Rule Management
Download and Install Rules
# Install suricata-update
sudo pip3 install suricata-update
# Initialize suricata-update
sudo suricata-update
# Update rules
sudo suricata-update update-sources
sudo suricata-update
# Enable specific rule sources
sudo suricata-update enable-source et/open
sudo suricata-update enable-source oisf/trafficid
sudo suricata-updateCustom Rule Creation
# Create custom rules directory
sudo mkdir -p /etc/suricata/rules/custom
# Example custom rule
echo 'alert tcp any any -> $HOME_NET 22 (msg:"SSH Connection Attempt"; flow:to_server; flags:S; sid:1000001; rev:1;)' | sudo tee /etc/suricata/rules/custom/ssh-monitoring.rules
# Include custom rules in main config
echo 'rule-files:' | sudo tee -a /etc/suricata/suricata.yaml
echo ' - /etc/suricata/rules/custom/ssh-monitoring.rules' | sudo tee -a /etc/suricata/suricata.yamlStep 5: Log Management and Analysis
Logrotate Configuration
# Configure log rotation
sudo tee /etc/logrotate.d/suricata << EOF
/var/log/suricata/*.log /var/log/suricata/*.json {
daily
missingok
rotate 30
compress
delaycompress
sharedscripts
create 640 suricata suricata
postrotate
/bin/kill -HUP \`cat /var/run/suricata.pid 2>/dev/null\` 2>/dev/null || true
endscript
}
EOFReal-time Log Monitoring
# Monitor alerts in real-time
sudo tail -f /var/log/suricata/fast.log
# Monitor EVE JSON logs
sudo tail -f /var/log/suricata/eve.json | jq
# Monitor specific event types
sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'Integration with SIEM
ELK Stack Integration
Filebeat Configuration
# /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/suricata/eve.json
json.keys_under_root: true
json.add_error_key: true
fields:
logtype: suricata
fields_under_root: true
output.elasticsearch:
hosts: ["elasticsearch:9200"]
index: "suricata-%{+yyyy.MM.dd}"
setup.template.name: "suricata"
setup.template.pattern: "suricata-*"Kibana Dashboard Creation
{
"dashboard": {
"id": "suricata-overview",
"title": "Suricata Security Overview",
"visualizations": [
{
"id": "alerts-over-time",
"type": "line",
"query": "event_type:alert"
},
{
"id": "top-signatures",
"type": "data_table",
"query": "event_type:alert",
"aggregation": "terms",
"field": "alert.signature"
},
{
"id": "protocol-distribution",
"type": "pie",
"query": "event_type:flow",
"aggregation": "terms",
"field": "proto"
}
]
}
}Splunk Integration
Universal Forwarder Configuration
# /opt/splunkforwarder/etc/system/local/inputs.conf
[monitor:///var/log/suricata/eve.json]
disabled = false
index = security
sourcetype = suricata:eve:json
host_segment = 4
[monitor:///var/log/suricata/fast.log]
disabled = false
index = security
sourcetype = suricata:alert
host_segment = 4Performance Tuning
System Optimization
Kernel Parameters
# /etc/sysctl.conf optimizations
echo 'net.core.rmem_default = 262144' | sudo tee -a /etc/sysctl.conf
echo 'net.core.rmem_max = 16777216' | sudo tee -a /etc/sysctl.conf
echo 'net.core.netdev_max_backlog = 5000' | sudo tee -a /etc/sysctl.conf
# Apply changes
sudo sysctl -pCPU Affinity
# Pin Suricata to specific CPU cores
echo 'SURICATA_OPTIONS="--cpu-affinity=1-3"' | sudo tee -a /etc/default/suricataSuricata-Specific Tuning
Worker Thread Configuration
# In suricata.yaml
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ]
- receive-cpu-set:
cpu: [ 1 ]
- worker-cpu-set:
cpu: [ 2, 3 ]
mode: "exclusive"Memory Management
# In suricata.yaml
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535
max-frags: 65535
prealloc: yes
timeout: 60
flow:
memcap: 128mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30Testing and Validation
Generate Test Traffic
# Install nmap for testing
sudo apt install nmap -y
# Generate various types of traffic
nmap -sS 192.168.1.0/24 # SYN scan
nmap -sU 192.168.1.1 # UDP scan
curl -A "BADBOT" http://192.168.1.100/ # User-agent alert
# Test with EICAR string
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.txt
python3 -m http.server 8000 # Serve file for download testAlert Verification
# Check for generated alerts
sudo grep -i "EICAR" /var/log/suricata/fast.log
sudo grep -i "nmap" /var/log/suricata/fast.log
# Verify JSON events
sudo jq '.event_type' /var/log/suricata/eve.json | sort | uniq -cAdvanced Features
File Extraction
# In suricata.yaml
file-store:
version: 2
enabled: yes
dir: /var/log/suricata/files
write-fileinfo: yes
write-meta: yes
include-pid: yesProtocol Detection
# Enhanced protocol detection
app-layer:
protocols:
tls:
enabled: yes
detection-ports:
dp: 443
http:
enabled: yes
libhtp:
default-config:
personality: IDS
request-body-limit: 100kb
response-body-limit: 100kbLua Scripting
-- /etc/suricata/scripts/custom-detection.lua
function init (args)
local needs = {}
needs["http.request_line"] = tostring(true)
return needs
end
function match(args)
local request_line = HttpGetRequestLine()
if request_line then
if string.find(request_line, "admin") then
return 1
end
end
return 0
endTroubleshooting
Common Issues
High CPU Usage
# Check thread distribution
sudo grep "thread" /var/log/suricata/suricata.log
# Monitor CPU usage per core
htop
# Adjust worker threads
sudo systemctl edit suricata
# Add: Environment="SURICATA_OPTIONS=--runmode=workers --cpu-affinity=1-2"Packet Drops
# Check interface statistics
sudo ethtool -S eth0 | grep drop
# Monitor Suricata stats
sudo tail -f /var/log/suricata/stats.log
# Increase buffer sizes
echo 'net.core.netdev_max_backlog = 10000' | sudo tee -a /etc/sysctl.confMemory Issues
# Monitor memory usage
sudo grep -i memcap /var/log/suricata/suricata.log
# Adjust memory caps in suricata.yaml
# Increase flow.memcap and stream.memcap valuesPerformance Monitoring
#!/bin/bash
# suricata-stats.sh
while true; do
echo "=== $(date) ==="
sudo grep "Capture.Kernel" /var/log/suricata/stats.log | tail -1
sudo grep "Flow.Memuse" /var/log/suricata/stats.log | tail -1
echo "CPU Usage: $(top -bn1 | grep suricata | awk '{print $9}')%"
echo "Memory: $(ps aux | grep suricata | grep -v grep | awk '{print $6}') KB"
echo ""
sleep 60
doneSecurity Best Practices
Hardening Guidelines
- Run Suricata as non-root user
- Implement proper file permissions
- Regular rule updates and testing
- Secure log file access
- Network segmentation for monitoring traffic
Maintenance Tasks
- Weekly rule updates
- Monthly performance reviews
- Quarterly signature tuning
- Annual architecture reviews
Conclusion
You now have a fully functional network security monitoring system using Suricata in your home lab. This setup provides:
- Real-time threat detection across your entire network
- Comprehensive logging for forensic analysis
- Flexible rule management for custom detection scenarios
- Integration capabilities with popular SIEM platforms
- Performance optimization for high-throughput environments
Next Steps
- Tune rules based on your specific environment
- Integrate with SIEM for centralized log management
- Implement response automation using SOAR platforms
- Add network forensics capabilities with full packet capture
- Deploy threat hunting workflows and playbooks
This advanced monitoring capability significantly enhances your home lab’s security posture and provides valuable hands-on experience with enterprise-grade security tools.
Continue your home lab journey with Part 4: Incident Response Automation to build automated response capabilities.