Overview
The assignment was deceptively simple: stand up a real intrusion-detection
system and prove it works. We started from bare Linux hosts and built the
whole chain — a hardened network with a UFW firewall and a WireGuard VPN,
Suricata inspecting traffic as an IDS, and the
ELK stack (Elasticsearch, Kibana) turning raw events into
something a human analyst can actually read. Filebeat, running
the Suricata module, carried the alerts from the sensor into the dashboard.
This was a two-person team project. My work centered on the detection layer —
writing and tuning the Suricata rules, wiring the Filebeat-to-Elasticsearch
pipeline, and running the attack simulation that proved the alerts fired the
way they were supposed to.
Detection Engineering
A SIEM is only as good as the rules feeding it. Rather than ship stock
signatures, we wrote custom Suricata rules tuned to specific attacker
behavior — and, importantly, tuned the thresholds so the alerts
mean something instead of drowning an analyst in noise:
The thresholds are the point. Five SSH failures in a minute is an attack;
two is a tired user. Picking those numbers — and being able to defend why —
is the difference between writing a rule and understanding detection.
Troubleshooting (the real work)
The pipeline didn't work the first time — they never do. Two fixes mattered:
correcting the eve.json path so Filebeat's Suricata module could
actually find and ship the events, and tuning the loopback interface so
Suricata inspected the right traffic. Most of the learning lived in the gap
between "configured" and "actually flowing."
Proving It — Red-Team Validation
A detection system you haven't attacked is a guess. So we played the adversary:
ran nmap SYN scans and an SSH brute-force loop against the lab,
then watched the alerts land in Kibana in real time. Each rule was verified by
triggering exactly the behavior it was written to catch — closing the loop
from sensor to dashboard to confirmed detection.
We also mapped each rule to MITRE ATT&CK tactics — recon,
credential access, command-and-control — and to the real-world tradecraft they
mirror (Conti ransomware, credential stuffing, Cobalt Strike beacons). Detection
isn't just "did an alert fire"; it's knowing what the alert means.
Outcome
A complete, working lab-to-SOC pipeline: traffic inspected, events centralized,
custom rules firing on demand, and dashboard evidence to back every claim. The
build earned full marks, and the accompanying presentation was cited by the
instructor as the strongest of the semester — credit I share with my project
partner.
Project Materials
The full technical writeup, the presentation deck, and a screenshot-annotated walkthrough: