{"id":22431952,"url":"https://github.com/dncrypter/suricata-ids-lab","last_synced_at":"2026-01-30T04:39:39.107Z","repository":{"id":259900269,"uuid":"879766325","full_name":"DNcrypter/Suricata-IDS-Lab","owner":"DNcrypter","description":"The goal of setting up a Suricata home-lab is to gain practical experience in deploying and configuring an Intrusion Detection System (IDS) for network security monitoring. Suricata is an open-source IDS capable of detecting and preventing various network-based threats. ","archived":false,"fork":false,"pushed_at":"2024-10-29T06:54:53.000Z","size":188,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-01T12:45:12.452Z","etag":null,"topics":["home-lab","ids"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DNcrypter.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-28T14:09:53.000Z","updated_at":"2024-10-29T14:11:09.000Z","dependencies_parsed_at":null,"dependency_job_id":"9b19bc3c-76a9-430b-8d57-52b8eb092a96","html_url":"https://github.com/DNcrypter/Suricata-IDS-Lab","commit_stats":null,"previous_names":["dncrypter/suricata-ids-lab"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FSuricata-IDS-Lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FSuricata-IDS-Lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FSuricata-IDS-Lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FSuricata-IDS-Lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DNcrypter","download_url":"https://codeload.github.com/DNcrypter/Suricata-IDS-Lab/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245805966,"owners_count":20675291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["home-lab","ids"],"created_at":"2024-12-05T22:09:56.196Z","updated_at":"2026-01-30T04:39:39.070Z","avatar_url":"https://github.com/DNcrypter.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🦝 Suricata IDS Home-Lab \n[![MIT License](https://img.shields.io/badge/License-MIT-green.svg)](https://choosealicense.com/licenses/mit/)\n        [![LinkedIn](https://img.shields.io/badge/LinkedIn-Profile-blue)](https://www.linkedin.com/in/nikhil--chaudhari/)\n        [![Medium](https://img.shields.io/badge/Medium-Writeups-black)](https://medium.com/@nikhil-c)\n\n## 🍁Introduction\n\nThe goal of setting up a Suricata home-lab is to gain practical experience in deploying and configuring an Intrusion Detection System (IDS) for network security monitoring. Suricata is an open-source IDS capable of detecting and preventing various network-based threats. This home-lab provides individuals with hands-on experience in setting up, configuring, and utilizing Suricata to enhance network security.  \n![Blue Sand White Beach Simple Watercolor Etsy Shop Banner (2)](https://github.com/DNcrypter/Suricata-IDS-Lab/blob/main/Suricata_1.jpg)\n\nIn this home-lab, we will cover:\n- [Requirement](https://github.com/0xrajneesh/Suricata-IDS-Home-Lab?tab=readme-ov-file#requirements)\n- [Lab Diagram](https://github.com/0xrajneesh/Suricata-IDS-Home-Lab?tab=readme-ov-file#%EF%B8%8Flab-diagram)\n- [Setting up the Suricata Home-Lab](https://github.com/0xrajneesh/Suricata-IDS-Home-Lab?tab=readme-ov-file#-setting-up-the-suricata-home-lab)\n- [Excercises- Network-based attacks](https://github.com/0xrajneesh/Suricata-IDS-Home-Lab?tab=readme-ov-file#excercises--network-based-attacks)\n- [Excercises- Web-based attacks](https://github.com/0xrajneesh/Suricata-IDS-Home-Lab?tab=readme-ov-file#excercises--web-based-attacks)\n\n\n## 📝 Requirements\n\n- **Hardware**:\n  - Computer with internet connectivity\n  - RAM: 16GB at least\n  - CPU: dual-core processor\n- **VM/ISO Image**:\n  - Windows Machine(Victim Machine)\n  - Kali Linux(Attacker Machine)\n\n## 👩🏻‍🔬🧪Lab Diagram\n\n![Home-Lab (3)](https://github.com/DNcrypter/Suricata-IDS-Lab/blob/main/Suricata_2.png)\n\n\n\n## 🛠 Setting up the Suricata Home-Lab\nNow we have clear image of what is suricata and also we made structural overview of lab. Lest start with setup the home-lab in local machine for what we already discuss that we require Virtualbox so we can setup labs there. All commands require for installation is in suricata-installaton-guide.md\n\n- **Setting up Suricata IDS Server**\n  -  Import Ubuntu Server 22.04 OVA file in Virtualbox\n  -  Install Suricata IDS package\n \n- **Setting up Victim Server-1**\n  -  Import Ubuntu Server 22.04 OVA file in Virtualbox\n  -  Install DVWA(Damn Vulnerable Web Application)\n\n- **Setting up Victim Server-2**\n  -  Import Metasploitable 2 OVA Image\n \n- **Setting up Victim Server-3**\n  -  Import Typhoon OVA image\n \n\n\n## 🧑‍💻Excercises- Network-based attacks\n-  **Nmap Stealth Scan Detection**: Create a Suricata rule to detect TCP SYN packets sent to multiple ports within a short time frame, indicative of Nmap stealth scans.\n  ```yaml\nalert tcp any any -\u003e any any (msg:\"Nmap Stealth Scan Detected\"; flags:S; threshold: type threshold, track by_src, count 5, seconds 10; sid:100001;)\n```        \n-  **Nmap OS Fingerprinting Detection**: Develop a Suricata rule to detect ICMP echo requests and responses with specific TTL values, characteristic of Nmap OS fingerprinting activities.\n  ```yaml\nalert icmp any any -\u003e any any (msg:\"Nmap OS Fingerprinting Detected\"; ttl: 64; content:\"ECHO REQUEST\"; sid:100002;)   \nalert icmp any any -\u003e any any (msg:\"Nmap OS Fingerprinting Detected\"; ttl: 128; content:\"ECHO REPLY\"; sid:100003;)\n```\n-  **Nmap Service Version Detection Detection**: Formulate a Suricata rule to detect Nmap service version detection probes based on unique HTTP GET requests or TCP SYN/ACK packets.\n  ```yaml\nalert tcp any any -\u003e any any (msg:\"Nmap Service Version Detection Probe Detected\"; content:\"GET\"; http_method; sid:100004;)\nalert tcp any any -\u003e any any (msg:\"Nmap Service Version Detection Probe Detected\"; flags:SA; sid:100005;)\n```\n-  **Metasploit Exploit Payload Detection**: Craft a Suricata rule to detect Metasploit exploit payload traffic based on unique signatures or payloads commonly used in exploits.\n  ```yaml\nalert tcp any any -\u003e any any (msg:\"Metasploit Exploit Payload Detected\"; content:\"\u003cmetasploit_payload\u003e\"; sid:100006;)\n```\n-  **Metasploit Reverse Shell Detection**: Develop a Suricata rule to detect Metasploit reverse shell connections by monitoring for outbound TCP connections to known attacker IP addresses.\n```yaml\nalert tcp any any -\u003e \u003cattacker_ip\u003e any (msg:\"Metasploit Reverse Shell Connection Detected\"; sid:100007;)\n```\n-  **Metasploit Meterpreter Communication Detection**: Create a Suricata rule to detect Meterpreter communication activities by analyzing HTTP or TCP traffic with characteristic Meterpreter payloads.\n  ```yaml\nalert tcp any any -\u003e any any (msg:\"Meterpreter Communication Detected\"; content:\"\u003cmeterpreter_payload\u003e\"; sid:100008;)\n```\n- **Metasploit Credential Harvesting Detection**: Formulate a Suricata rule to detect Metasploit credential harvesting activities by monitoring for specific LDAP or SMB traffic patterns indicative of credential theft.\n  ```yaml\n  alert tcp any any -\u003e any any (msg:\"Metasploit Credential Harvesting Activity Detected\"; content:\"LDAP\" content:\"SMB\"; sid:100009;)\n  ```\n\n## 🧑‍💻Excercises- Web-based attacks\n\n-  **Web Server Enumeration Detection**: Develop a Suricata rule to detect Nmap web server enumeration attempts by monitoring for excessive HTTP GET requests to various URIs.\n```yaml\nalert http any any -\u003e any any (msg:\"Web Server Enumeration Attempt Detected\"; urilen:\u003e100; threshold: type threshold, track by_src, count 10, seconds 60; sid:100010;)\n```\n-  **Web Application Vulnerability Scan Detection**: Create a Suricata rule to detect Nmap vulnerability scanning activities against web applications by monitoring for specific HTTP requests targeting common vulnerabilities (e.g., SQL injection, XSS).\n  ```yaml\nalert http any any -\u003e any any (msg:\"Web Application Vulnerability Scan Detected\"; content:\"SQL Injection\" content:\"XSS\"; sid:100011;)\n```\n-  **Metasploit Web Application Exploitation Detection**: Formulate a Suricata rule to detect Metasploit web application exploitation attempts by monitoring for HTTP requests containing known exploit payloads (e.g., SQL injection, remote code execution).\n  ```yaml\nalert http any any -\u003e any any (msg:\"Metasploit Web Application Exploitation Attempt Detected\"; content:\"\u003cexploit_payload\u003e\"; sid:100012;)\n```\n-  **Metasploit Command Injection Detection**: Develop a Suricata rule to detect Metasploit command injection attacks by monitoring for HTTP requests with suspicious command injection payloads in URI parameters or POST data.\n```yaml\nalert http any any -\u003e any any (msg:\"Metasploit Command Injection Attempt Detected\"; content:\";\"; sid:100013;)\n```\n-  **Metasploit Directory Traversal Detection**: Create a Suricata rule to detect Metasploit directory traversal attempts by monitoring for HTTP requests with traversal patterns in URI paths.\n```yaml\nalert http any any -\u003e any any (msg:\"Metasploit Directory Traversal Attempt Detected\"; content:\"../\"; sid:100014;)\n```\n-  **Metasploit Cross-Site Scripting (XSS) Detection**: Formulate a Suricata rule to detect Metasploit XSS attacks by monitoring for HTTP responses containing characteristic XSS payloads or script injection patterns.\n```yaml\nalert http any any -\u003e any any (msg:\"Metasploit XSS Attack Detected\"; content:\"\u003cscript\u003e\"; sid:100015;)\n```\n- **Metasploit SQL Injection Detection**: Develop a Suricata rule to detect Metasploit SQL injection attacks by monitoring for SQL injection payloads in HTTP requests or SQL error messages in HTTP responses.\n```yaml\nalert http any any -\u003e any any (msg:\"Metasploit SQL Injection Attempt Detected\"; content:\"SQL Error\"; sid:100016;)\n```\n- **Metasploit File Inclusion Detection**: Create a Suricata rule to detect Metasploit file inclusion attacks by monitoring for HTTP requests with suspicious file inclusion payloads in URI parameters or POST data.\n```yaml\n  alert http any any -\u003e any any (msg:\"Metasploit File Inclusion Attempt Detected\"; content:\"../../\"; sid:100017;)\n  ```\n- **Metasploit Cross-Site Request Forgery (CSRF) Detection**: Formulate a Suricata rule to detect Metasploit CSRF attacks by monitoring for unexpected or unauthorized HTTP requests originating from victim hosts.\n```yaml\nalert http any any -\u003e any any (msg:\"CSRF Attack Detected\"; flow:established,to_server; content:\"CSRF Token\"; http_cookie; http_header; pcre:\"/token=[A-Za-z0-9]{32,}/\"; sid:100018;)\n```\n- **Metasploit Authentication Bypass Detection**: Develop a Suricata rule to detect Metasploit authentication bypass attempts by monitoring for HTTP requests with bypass techniques (e.g., parameter manipulation, session fixation).\n```yaml\n  alert http any any -\u003e any any (msg:\"Metasploit Authentication Bypass Attempt Detected\"; content:\"Admin=true\"; sid:100019;)\n  ```\n\n## 🍁🍁 Contributions\n\nIf you want to add more content in this, Pull request are always welcome. please check my medium blogs where i always active...\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdncrypter%2Fsuricata-ids-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdncrypter%2Fsuricata-ids-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdncrypter%2Fsuricata-ids-lab/lists"}