Network Monitoring & IDS Integration

Project Overview

This project focused on Network Security Monitoring (NSM) by integrating Suricata IDS with the existing Wazuh SIEM infrastructure. The objective was to correlate network-level signatures with host-level logs for a hollistic threat detection capability.

Key Technologies

• Suricata v7.0.3: For high-performance network threat detection.
• Wazuh SIEM: For log aggregation and alerting.
• Eve.json: JSON-based logging for structured data analysis.

Implementation Details

Suricata Configuration

• Configured Suricata in AF_PACKET mode for efficient packet capture on recent Linux kernels.
• Resolved interface binding challenges (binding to tailscale0 vs eth0) to ensure correct traffic visibility.
• Enabled the Emerging Threats Open ruleset, loading over 46,000 signatures for known malware, C2 traffic, and exploit kits.

Log Pipeline

Built a robust pipeline to ingest detections:

1. Suricata writes alerts to eve.json.
2. Wazuh Agent reads the JSON stream in real-time.
3. Wazuh Manager parses tags and triggers alerts.

Validation & Testing

• Validated the IDS using nmap port scans and traffic replay tools.
• Confirmed end-to-end alerting from network packet triggers to the SIEM dashboard.
• Verified detection of unencrypted cleartext credentials and suspicious outbound connections.

Lessons Learned

• Managing noise is the hardest part of IDS; requires constant rule tuning.
• Understanding Linux networking (interfaces, routing, promiscuous mode) is prerequisite for effective monitoring.