This project demonstrates a full defensive security workflow:
- Attacker simulation
- IDS monitoring (Suricata)
- Host log analysis
- Event correlation
- Detection effectiveness reporting
The goal was to simulate real-world attack activity and perform structured SOC-style analysis using network and host telemetry.
- Deploy and configure Suricata IDS
- Simulate realistic attacker activity
- Capture alerts in
fast.log - Correlate IDS alerts with host logs
- Produce professional SOC-style reports
- Evaluate detection coverage and effectiveness
| Role | Technology |
|---|---|
| Attacker | Kali Linux |
| Victim | Ubuntu Server |
| IDS | Suricata |
| Web Server | Apache2 |
| Log Sources | fast.log, /var/log/auth.log, /var/log/apache2/access.log |
- VirtualBox
- Nmap
- Hydra
- Suricata
- Installed and configured Suricata on a dedicated Ubuntu server
- Enabled rule sets (Emerging Threats)
- Enabled promiscous mode on the network adapter to provide traffic visibility
- Verified logging to
fast.log - Deployed SSH and Apache services
- Validated network connectivity between attacker and victim
Artifacts:
defender/defender artifactsdefender/ids/Suricata setup
Simulated real-world attacker behavior from Kali:
- ICMP reconnaissance
- Nmap SYN scan and service detection
- SSH brute-force using Hydra
- Web directory enumeration
Generated:
- Suricata alerts in
fast.log - SSH authentication failures in
/var/log/auth.log - Apache 404 logs in
/var/log/apache2/access.log
Artifacts:
attacker/
Performed structured SOC analysis using:
- Suricata
fast.log - SSH authentication logs (auth.log)
- Apache access logs (access.log)
- Extracted IDS alerts
- Identified priority levels
- Correlated attacker IP across data sources
- Built unified attack timeline
- Evaluated detection coverage
- Produced incident summary report
Generated reports:
defender/analysis/
├── alerts/
│ ├── attacker-alerts.log
│ ├── fast-original.log
│ ├── recon-alerts.log
│ └── ssh-alerts.log
├── correlation/
│ └── shared-timeline.md
├── Logs/
│ ├── auth-failures.log
│ └── web-404.log
└── findings/
├── detection-effectiveness.md
└── incident-summary.md
- SSH brute-force attempts successfully detected by both IDS and host logs
- Nmap reconnaissance detected by Suricata signatures
- Web enumeration confirmed via Apache logs
- No successful compromise occurred
- Layered detection provided high-confidence visibility
- Network Security Monitoring (NSM)
- IDS configuration and analysis (Suricata)
- Log correlation methodology
- Timeline reconstruction
- SOC reporting & documentation
- Threat detection validation
| Attack Type | IDS | Host Logs | Confidence |
|---|---|---|---|
| Reconnaissance | ✅ | N/A | High |
| SSH Brute Force | ✅ | ✅ | Very High |
| Web Enumeration | ✅ | ✅ | High |
├── architecture
│ └── ip-addressing.md
├── attacker/
│ ├── attacks/
│ ├── findings/
│ ├── pcaps/
│ ├── reconnaissance/
│ ├── scope/
│ └── README.md
├── defender/
│ ├── analysis/
│ ├── ids/
│ └── victim-server/
├── correlation/
│ └── shared-timeline.md/
└── README.md
This lab simulates the full lifecycle of a detection-focused investigation:
- Attack simulation
- Alert generation
- Log analysis
- Correlation
- Reporting
- Detection validation
It showcases practical SOC workflow execution using open-source tooling.
👩💻 Chukwu PraiseGod
Follow my journey: X | LinkedIn