HomeNetwork Security in 5 DaysDay 2
Day 2 of 5
⏱ ~60 minutes
Network Security in 5 Days — Day 2

IDS/IPS and Network Monitoring

Firewalls block known bad traffic. IDS and IPS detect sophisticated attacks that firewalls miss: zero-days, lateral movement, data exfiltration, and protocol abuse. Today covers Snort, Suricata, and network visibility with Zeek.

Snort and Suricata Rules

Snort pioneered rule-based intrusion detection. Each rule has: action (alert/drop/reject), protocol, source/destination IP and port, and detection options (content matches, thresholds, flags). Suricata is the modern successor — it's multi-threaded, supports Lua scripting, and includes built-in file extraction. Both use the same rule syntax; Suricata adds new keywords.

Zeek for Network Visibility

Zeek (formerly Bro) creates structured logs from network traffic: conn.log (all connections), dns.log (all DNS queries), http.log (all HTTP requests), ssl.log (TLS handshakes). These logs are far more useful for threat hunting than raw packets. Zeek scripts can detect behavioral anomalies — a host suddenly making 10,000 DNS queries per minute stands out clearly.

Security Onion: The Complete NSOC Platform

Security Onion integrates Zeek, Suricata, Elasticsearch, Kibana, and TheHive into a single analyst platform. You get full packet capture, structured logs, alert management, and case tracking in one VM. It is the standard training platform for SOC analysts and network defenders.

bash
# Suricata rule example
# alert tcp any any -> $HOME_NET 22 (msg:"SSH brute force"; \
#   threshold: type threshold, track by_src, count 10, seconds 60; \
#   classtype:attempted-admin; sid:1000001; rev:1;)

# Run Suricata against a PCAP file
suricata -r capture.pcap -l /var/log/suricata/

# Live interface monitoring
suricata -i eth0

# Zeek analyze a PCAP
zeek -r capture.pcap local
ls *.log
# conn.log, dns.log, http.log, ssl.log ...

# Search Zeek logs
zeek-cut id.orig_h id.resp_h id.resp_p proto duration < conn.log \
  | sort -n -k5 | tail -20

# View Suricata alerts
cat /var/log/suricata/fast.log
jq '.alert.signature' /var/log/suricata/eve.json
💡
Tune your IDS rules before production deployment. A high false positive rate causes alert fatigue — analysts stop investigating and miss real attacks buried in the noise.
📝 Day 2 Exercise
Write a Custom Suricata Rule
  1. Install Suricata on your Linux VM: sudo apt install suricata
  2. Download a sample malware PCAP from malware-traffic-analysis.net
  3. Run Suricata against the PCAP: suricata -r sample.pcap -l /tmp/logs/
  4. Review alerts in /tmp/logs/eve.json using jq
  5. Write a custom rule detecting HTTP requests to a specific URI pattern and test it

Day 2 Summary

  • Suricata and Snort use rule-based detection for known attack signatures
  • Zeek creates structured logs far more useful than raw packet capture
  • Security Onion bundles IDS, logging, and case management in one platform
  • False positive tuning is critical — alert fatigue defeats monitoring programs
  • Custom rules allow detection of organization-specific threats
Challenge

Download 3 different malware PCAPs from malware-traffic-analysis.net. Run them through Suricata and Zeek. Write a one-paragraph analysis of each, identifying the malware family and infection chain.

← Previous
Day 1: Firewalls & Perimeter Defense
Next →
Day 3: VPN, Zero Trust & Secure Access
Finished this lesson?