Beginner Pro

Network Traffic Investigation with Suricata and ELK

Investigate network traffic on a target Ubuntu machine using Suricata (IDS) and ELK SIEM with Fleet (Elastic Agent), visualize suspicious network traffic patterns, and create alerts for abnormal or potentially malicious activities such as intrusion attempts, DDoS attacks, or malware communication.

Self-Paced by Rajneesh Gupta

Overview

This project focuses on detecting, analyzing, and responding to suspicious network activity on an Ubuntu machine using Suricata as an Intrusion Detection System (IDS) integrated with the ELK SIEM stack through Fleet-managed Elastic Agents. Students will configure Suricata to monitor network traffic, generate EVE JSON logs for security events, and forward these logs to Elasticsearch for centralized visibility.

By leveraging Kibana dashboards and SIEM analytics, students will investigate intrusion attempts, DDoS patterns, malware communication, scanning activity, and other abnormal traffic behaviors. The hands-on lab provides practical experience in network-based threat detection, event correlation, visualization, and alert creation to identify early indicators of compromise.

Key Outcomes

  • Deploy and configure Suricata IDS on an Ubuntu system to capture live network traffic and generate detailed alerts via EVE JSON logs.

  • Integrate Suricata logs with ELK SIEM using Fleet (Elastic Agent) to ensure secure, real-time ingestion and normalization of IDS events.

  • Identify suspicious or malicious behaviors

  • Visualize network traffic patterns in Kibana, including:

    • Source and destination IP trends

    • Common attack vectors

    • Signature-based alerts

    • Protocol usage analysis

What You'll Learn

  • Deploying and Configuring Suricata as an IDS

    Learn how to install Suricata on Ubuntu, configure network interfaces for monitoring, and generate detailed EVE JSON logs for intrusion detection.

  • Integrating Suricata Logs with ELK via Elastic Agent

    Understand how to enroll an Ubuntu machine into Fleet, configure Elastic Agent integrations, and forward Suricata alerts securely to Elasticsearch.

  • Detecting Suspicious and Malicious Network Behaviors

    Gain hands-on experience identifying intrusion attempts, scanning activity, DDoS patterns, malware communication, and other abnormal traffic events.

Prerequisites

  • Ubuntu machine with Suricata installed or ready to install
  • Elastic Stack (Elasticsearch, Kibana, Fleet) already deployed or accessible
  • Elastic Agent installed and capable of forwarding Suricata logs
  • Basic understanding of network protocols and IDS concepts

About Trainer

Rajneesh Gupta

Rajneesh Gupta

Rajneesh Gupta is a seasoned cybersecurity professional with over 11 years of industry experience. With a remarkable career focused on incident response, penetration testing, security compliance, and risk management, Rajneesh has established himself as a leading expert in the field. He is also an accomplished author, having penned the book "Hands-on with Blockchain and Cybersecurity". As a dedicated educator, Rajneesh has made a significant impact on the cybersecurity community by training over 60,000 students globally.

LinkedIn YouTube GitHub

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Practical AWS Cloud Security Posture Assessment Using Scout Suite
Free Beginner

Practical AWS Cloud Security Posture Assessment Using Scout Suite

Identify real-world AWS attack surfaces through visual security posture analysis.

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.