Please enable JavaScript.
Coggle requires JavaScript to display documents.
IDS-IPS - Coggle Diagram
IDS-IPS
IDS
IDS (Intrusion Detection System)
Purpose
Detect malicious activity and policy violations
Monitor network and host events
Generate alerts for security teams
Provide visibility into attacks and suspicious behavior
Support compliance and incident response
Types of IDS
Network IDS (NIDS)
Monitors network traffic
Detects attacks across multiple systems
Passive monitoring
Examples
Suricata
Snort
Zeek
Host IDS (HIDS)
Monitors individual hosts
Detects file changes
Monitors processes and logs
Examples
Wazuh
OSSEC
AIDE
Detection Methods
Signature-Based Detection
Matches known attack patterns
Fast detection
Low false positives
Cannot detect unknown attacks
Anomaly-Based Detection
Learns normal behavior
Detects unusual activities
Can identify zero-day attacks
Higher false positives
Hybrid Detection
Combines signature and anomaly detection
Common in enterprise deployments
Enterprise IDS Architecture
Internet
Firewall
DMZ
Web Servers
Application Servers
Mail Servers
IDS Sensors
Monitor inbound traffic
Monitor outbound traffic
Detect attacks before reaching servers
Internal Network
Core Switch
IDS Sensor
East-West Traffic Monitoring
Lateral Movement Detection
Endpoints
HIDS Agents
Linux Servers
Windows Servers
Workstations
Security Operations Center (SOC)
SIEM Platform
Wazuh
ELK Stack
Splunk
QRadar
Alert Correlation
Incident Investigation
Threat Hunting
Enterprise IDS Placement
Internet Edge
Detect external attacks
Detect scanning attempts
Detect DDoS indicators
DMZ Network
Monitor public-facing services
Detect web attacks
Detect exploitation attempts
Internal Network
Detect insider threats
Detect lateral movement
Detect unauthorized access
Critical Servers
Monitor file integrity
Monitor privileged activity
Monitor service changes
Common Enterprise Use Cases
Port Scanning Detection
Nmap Detection
Reconnaissance Detection
Brute Force Detection
SSH Attacks
RDP Attacks
FTP Attacks
Malware Detection
Command and Control Traffic
Malicious Downloads
Suspicious Processes
Web Attack Detection
SQL Injection
Cross-Site Scripting (XSS)
Directory Traversal
Privilege Escalation Detection
Unauthorized Sudo Usage
Root Access Attempts
User Account Abuse
IDS Workflow
Traffic Generated
Packet Capture
Traffic Analysis
Rule Matching
Alert Generation
SIEM Correlation
1 more item...
IDS vs IPS
IDS
Detects
Generates Alerts
Passive Monitoring
No Traffic Blocking
IPS
Detects
Blocks Attacks
Active Prevention
Inline Deployment
Suricata IDS (Enterprise Standard)
Installation EL10
Enable EPEL Repository
sudo dnf install epel-release -y
Install Suricata
sudo dnf install suricata -y
Service Management
Start Service
sudo systemctl start suricata
Enable at Boot
sudo systemctl enable suricata
Check Status
sudo systemctl status suricata
Configuration
Main Configuration File
/etc/suricata/suricata.yaml
Rules Directory
/var/lib/suricata/rules
Logs Directory
/var/log/suricata
Rule Update
sudo suricata-update
Test Configuration
sudo suricata -T -c /etc/suricata/suricata.yaml
Restart Service
sudo systemctl restart suricata
Suricata Installation
Suricada IDS
Suricata IDS (Enterprise Level)
What is Suricata?
Open-source Network IDS
Network IPS
Network Security Monitoring (NSM)
Protocol Analyzer
Signature-based Detection
Anomaly Detection Support
Multi-threaded IDS Engine
High Performance
Deep Packet Inspection (DPI)
Supports IPv4 IPv6 TCP UDP ICMP HTTP HTTPS DNS SMTP FTP SSH SMB TLS DHCP NFS MQTT Modbus DNP3
Why Organizations Use Suricata
Detect Cyber Attacks
Detect Malware Traffic
Detect Exploits
Detect Command and Control (C2)
Detect Lateral Movement
Detect Port Scans
Detect Brute Force
Detect Data Exfiltration
Detect Web Attacks
Generate Security Logs
Feed SIEM Platforms
Enterprise Architecture
Internet
Firewall
Router
2 more items...
Deployment Modes
IDS Mode
Passive Monitoring
No Traffic Blocking
Safe Deployment
IPS Mode
Inline Detection
Drop Malicious Packets
Requires NFQUEUE AF_PACKET DPDK
Offline Analysis
Analyze PCAP Files
Malware Investigation
Incident Response
Live Interface Monitoring
Monitor eth0
Monitor ens33
Multiple Interfaces
Enterprise Deployment Models
Single Sensor
Multiple Sensors
Branch Office
Data Center
DMZ
Headquarters
Centralized Logging
Elasticsearch
Wazuh
Splunk
Cloud Deployment
AWS
Azure
Google Cloud
Hybrid Deployment
Installation Ubuntu
Update System
sudo apt update
sudo apt upgrade -y
Install
sudo apt install suricata -y
Verify
suricata --build-info
suricata --version
Service
sudo systemctl enable suricata
sudo systemctl start suricata
sudo systemctl status suricata
Important Files
Binary
/usr/bin/suricata
Main Configuration
/etc/suricata/suricata.yaml
Rules
/var/lib/suricata/rules/
Custom Rules
/etc/suricata/rules/local.rules
Logs
/var/log/suricata/
EVE JSON
/var/log/suricata/eve.json
Fast Log
/var/log/suricata/fast.log
Stats
/var/log/suricata/stats.log
Configuration
Edit Configuration
sudo nano /etc/suricata/suricata.yaml
Configure HOME_NET
Your Internal Network
Configure EXTERNAL_NET
Internet
Enable eve.json
Enable DNS Logs
Enable HTTP Logs
Enable TLS Logs
Enable SSH Logs
Enable File Extraction
Configure Rule Path
Rule Management
Official ET Open Rules
Local Rules
Custom Rules
Rule Categories
Malware
Exploit
Web Server
SQL Injection
XSS
DNS
SMTP
FTP
SSH
Botnet
Ransomware
Trojans
Update Rules
sudo suricata-update
Test Rules
sudo suricata -T
Packet Capture
Monitor Interface
sudo suricata -i eth0
Read PCAP
sudo suricata -r sample.pcap
Multiple Interfaces
AF_PACKET
NFQUEUE
Alert Types
Alert
DNS
HTTP
TLS
SSH
FTP
SMTP
DHCP
SMB
Flow
Statistics
File Info
Log Analysis
cat fast.log
tail -f eve.json
jq
grep
less
Enterprise Integration
Filebeat
Logstash
Elasticsearch
Kibana
Wazuh
Splunk
Graylog
Performance Tuning
CPU Affinity
Multi-threading
Huge Pages
NIC Offloading
Memory Optimization
Capture Method
Flow Timeout
Security Best Practices
Dedicated Sensor
Read-only Monitoring
Least Privilege
Rule Validation
Daily Rule Updates
Centralized Logging
Log Rotation
Backup Configuration
Continuous Monitoring
Enterprise Detection Labs
Lab 1
Installation
Verify Service
Lab 2
Interface Monitoring
Lab 3
ICMP Detection
Ping Detection
Lab 4
Port Scan Detection
Nmap SYN Scan
Nmap UDP Scan
Nmap Version Scan
Lab 5
SSH Brute Force
Lab 6
FTP Login Detection
Lab 7
HTTP Request Logging
Lab 8
DNS Monitoring
Lab 9
Malware Traffic Detection
Lab 10
SQL Injection Detection
Lab 11
Cross Site Scripting Detection
Lab 12
Command Injection Detection
Lab 13
Reverse Shell Detection
Lab 14
File Download Detection
Lab 15
TLS Certificate Logging
Lab 16
SMB Monitoring
Lab 17
RDP Monitoring
Lab 18
Data Exfiltration Detection
Lab 19
Custom Rule Creation
Lab 20
False Positive Tuning
Lab 21
Rule Suppression
Lab 22
PCAP Analysis
Lab 23
Performance Benchmark
Lab 24
EVE JSON Analysis
Lab 25
SIEM Integration
Custom Rule Example
Rule Syntax
Action
Protocol
Source IP
Source Port
Direction
Destination IP
Destination Port
Options
Example
alert icmp any any -> any any (msg:"ICMP Detected"; sid:100001; rev:1;)
Useful Commands
suricata --version
suricata --build-info
sudo systemctl status suricata
sudo systemctl restart suricata
sudo systemctl stop suricata
sudo suricata -T
sudo suricata -i eth0
sudo suricata -r sample.pcap
sudo suricata-update
sudo tail -f /var/log/suricata/fast.log
sudo tail -f /var/log/suricata/eve.json
sudo journalctl -u suricata
Troubleshooting
Service Not Starting
Rule Syntax Errors
Interface Not Found
No Alerts Generated
High CPU Usage
Packet Drops
Permission Issues
Missing Rules
Invalid YAML
EVE JSON Disabled
Interview Preparation
What is Suricata?
Difference Between Suricata and Snort
IDS vs IPS
Signature Detection
Anomaly Detection
Deep Packet Inspection
EVE JSON
HOME_NET
EXTERNAL_NET
Rule Structure
SID
REV
Flow Keywords
Content Matching
PCRE
Thresholding
Pass Rule
Alert Rule
Drop Rule
Reject Rule
NFQUEUE
AF_PACKET
Multi-threading
ET Open Rules
suricata-update
YAML Configuration
Performance Tuning
False Positives
False Negatives
SIEM Integration
Enterprise Deployment Design
Incident Response Workflow
Detection Engineering
Enterprise Workflow
Internet Traffic
SPAN Port or Network TAP
Suricata Inspection
Rule Matching
Alert Generation
EVE JSON Logging
Log Collection
SIEM Correlation
Security Analyst Investigation
Incident Response
Threat Hunting
Remediation
Continuous Monitoring
Snort IDS (Enterprise Deployment, Labs & Interview Preparation)
Snort IDS
Snort IDS (Enterprise Deployment, Labs & Interview Preparation)
Snort IDS Overview
What is Snort
Open-source Network Intrusion Detection System (NIDS)
Developed to monitor network traffic
Detects attacks using signatures and protocol analysis
Generates alerts and logs
Can also work as an IPS (Intrusion Prevention System)
Why Organizations Use Snort
Detect cyber attacks
Monitor network traffic
Identify policy violations
Detect malware communication
Detect reconnaissance activities
Improve SOC visibility
Compliance monitoring
Enterprise Use Cases
SOC Monitoring
Data Center Security
DMZ Monitoring
Internal Network Monitoring
Cloud Workloads
Branch Office Security
Critical Infrastructure Protection
Snort
Key Components
Rules
Preprocessors
Detection Engine
Alerting Engine
Example Rule
alert icmp any any -> any any (msg:"ICMP Detected"; sid:1000001;)
Purpose
Signature-Based Network IDS
Real-Time Traffic Analysis
Network Security Concepts
IDS
Passive monitoring
Detects attacks
Generates alerts
IPS
Inline deployment
Blocks malicious traffic
NIDS
Monitors network traffic
HIDS
Monitors endpoints
Example Wazuh
SIEM Integration
Snort
Wazuh
Elasticsearch
Kibana
OpenSearch
Splunk
QRadar
Snort Architecture
Packet Capture
Network Interface
libpcap
Packet Decoder
Preprocessors
Stream
Frag3
HTTP Inspect
FTP
SMTP
DNS
SSL
Detection Engine
Signature Matching
Rule Processing
Logging and Alerting
Fast Alerts
Unified2
JSON
Syslog
Output Modules
Enterprise Deployment Models
Single Sensor
Small Office
Lab
Multiple Sensors
One sensor per VLAN
One sensor per branch
One sensor per data center
Centralized SOC
Multiple Snort Sensors
Log Server
SIEM
Dashboard
High Availability
Sensor Redundancy
Load Balancing
Failover
Cloud Deployment
AWS
Azure
Google Cloud
Enterprise Network Placement
Internet
Firewall
DMZ
Web Server
Mail Server
DNS Server
Core Switch
Internal Network
Server Network
Database Network
SOC
SIEM
Snort Sensors
Internet Edge
DMZ
Internal LAN
Server VLAN
Data Center
Traffic Flow
Internet
Firewall
SPAN Port
Network TAP
Snort Sensor
Detection Engine
Alert
SIEM
SOC Analyst
Installation
Ubuntu
sudo apt update
sudo apt install snort
Verify
snort -V
Configuration
sudo nano /etc/snort/snort.conf
Rules
/etc/snort/rules
Logs
/var/log/snort
Configuration Files
snort.conf
local.rules
classification.config
reference.config
threshold.conf
sid-msg.map
Snort Modes
Sniffer Mode
snort -v
Packet Dump Mode
snort -vd
Network Dump Mode
snort -dev
IDS Mode
snort -c /etc/snort/snort.conf -i eth0
IPS Mode
Inline Detection
NFQUEUE
AFPacket
Rule Structure
Action
Protocol
Source IP
Source Port
Direction
Destination IP
Destination Port
Rule Options
Rule Example
alert tcp any any -> any 80 (msg:"HTTP Traffic"; sid:1000001; rev:1;)
Rule Components
alert
Generate alert
log
Log packet
pass
Ignore traffic
drop
Drop packet
reject
Reject packet
sdrop
Silent drop
Protocols
TCP
UDP
ICMP
IP
Variables
HOME_NET
EXTERNAL_NET
DNS_SERVERS
HTTP_SERVERS
SMTP_SERVERS
Rule Options
msg
sid
rev
content
nocase
flow
classtype
priority
reference
metadata
pcre
Enterprise Rule Management
Community Rules
Registered Rules
Custom Rules
Version Control
Rule Testing
Rule Updates
False Positive Tuning
Detection Techniques
Signature Detection
Protocol Analysis
Stateful Inspection
Stream Reassembly
Content Matching
PCRE Matching
Attack Detection
Port Scan
Nmap
Ping Sweep
SYN Scan
UDP Scan
TCP Scan
OS Fingerprinting
Banner Grabbing
Reconnaissance
Brute Force
SSH Attack
FTP Attack
SQL Injection
XSS
Command Injection
Directory Traversal
Malware Traffic
DNS Tunneling
Reverse Shell
Data Exfiltration
Botnet Communication
DoS
DDoS
Enterprise Labs
Lab 1
Install Snort
Verify Installation
Check Version
Lab 2
Configure HOME_NET
Configure Interface
Test Configuration
Lab 3
Run Snort in Sniffer Mode
snort -v
Lab 4
Capture Packets
snort -dev
Lab 5
Create First Rule
Edit local.rules
Restart Snort
Test Rule
Lab 6
Detect ICMP Ping
ping Target
View Alert
Lab 7
Detect Nmap Scan
nmap -sS Target
View Alert
Lab 8
Detect HTTP Traffic
curl
Browser Test
Lab 9
Detect SSH Connection
ssh
user@Target
Lab 10
Detect FTP Login
Lab 11
Detect SQL Injection
Lab 12
Detect XSS
Lab 13
Detect Reverse Shell
Lab 14
Detect Malware Traffic
Lab 15
Detect DNS Requests
Lab 16
Custom Enterprise Rules
Lab 17
Integrate with Wazuh
Lab 18
Forward Logs to Elasticsearch
Lab 19
Kibana Dashboard
Lab 20
Incident Investigation
Testing Commands
ping Target
curl
http://Target
wget
http://Target
ssh
user@Target
ftp Target
nmap -sS Target
nmap -A Target
nc
tcpdump
iperf3
Useful Commands
snort -V
snort -T -c /etc/snort/snort.conf
snort -v
snort -vd
snort -dev
snort -c /etc/snort/snort.conf -i eth0
systemctl status snort
systemctl restart snort
journalctl -u snort
tail -f /var/log/snort/alert
tcpdump -i eth0
ip addr
ip link
ss -tuln
Enterprise Monitoring
Alert Monitoring
Log Rotation
Performance Monitoring
Rule Optimization
CPU Usage
Memory Usage
Packet Drop Monitoring
Sensor Health
Dashboard
Incident Response
Integration
Wazuh
Elasticsearch
Kibana
OpenSearch
Syslog Server
Splunk
SOAR
Threat Intelligence
Best Practices
Use Dedicated Sensor
Use SPAN Port
Use Network TAP
Keep Rules Updated
Minimize False Positives
Tune HOME_NET
Backup Configuration
Monitor Sensor Health
Test Before Production
Document Changes
Use Version Control
Separate Production and Testing
Troubleshooting
Configuration Errors
Rule Syntax Errors
Missing Alerts
Interface Issues
Permission Problems
High CPU Usage
Packet Drops
False Positives
Service Failure
Log File Issues
Enterprise Incident Response
Alert Received
Validate Alert
Collect Evidence
Analyze PCAP
Identify Attack
Contain Threat
Eradicate Threat
Recover Systems
Lessons Learned
Update Detection Rules
Interview Preparation
What is Snort
Difference between IDS and IPS
Difference between Snort and Suricata
Explain Snort Architecture
Explain Detection Engine
Explain Preprocessors
Explain Rule Structure
Explain SID
Explain REV
Explain HOME_NET
Explain EXTERNAL_NET
Explain Content Matching
Explain PCRE
Explain Stream Reassembly
Explain False Positive
Explain False Negative
Explain SPAN Port
Explain Network TAP
Explain DMZ Deployment
Explain Enterprise Deployment
Explain SIEM Integration
Explain Packet Flow
Explain Incident Response
Explain Rule Optimization
Explain Performance Tuning
Enterprise Skills
Linux Administration
Networking
TCP IP
Routing
Switching
VLAN
Firewalls
Wireshark
Tcpdump
Bash
Systemd
SIEM
Wazuh
SOC Operations
Incident Response
Threat Hunting
MITRE ATT&CK
Wazuh HIDS
Purpose
Host-Based Intrusion Detection
Log Monitoring
File Integrity Monitoring
Agent Installation
Linux Agent
Monitors Logs
Monitors Processes
Monitors File Changes
Key Features
Rootkit Detection
Malware Detection
Compliance Monitoring
Vulnerability Detection
WAZUH
Introduction
What is Wazuh
Open-source SIEM
XDR Platform
HIDS (Host Intrusion Detection System)
Log Management
Compliance Monitoring
Vulnerability Detection
Threat Detection
Incident Response
Enterprise Use Cases
SOC Monitoring
Endpoint Security
Server Monitoring
Compliance
PCI DSS
HIPAA
GDPR
CIS Benchmarks
NIST
Threat Hunting
Insider Threat Detection
Malware Detection
Cloud Monitoring
Container Monitoring
File Integrity Monitoring
Rootkit Detection
Architecture
Wazuh Server
Receives Events
Decodes Logs
Rules Engine
Active Response
Vulnerability Detection
Wazuh Indexer
Elasticsearch Fork
Stores Alerts
Search Engine
Index Management
Wazuh Dashboard
Web Interface
Dashboards
Alert Search
Visualization
Threat Hunting
Wazuh Agent
Collects Logs
File Monitoring
Command Output
Syscollector
Vulnerability Detection
Communication
Agent
TCP 1514
Registration
TCP 1515
Dashboard
HTTPS 443
Enterprise Deployment
Hardware Planning
Small
1-100 Agents
Medium
100-1000 Agents
Large
1000+ Agents
High Availability
Multiple Indexers
Multiple Managers
Dashboard Cluster
Load Balancer
Network Design
Management VLAN
DMZ Monitoring
Internal Network
Cloud Environment
Remote Offices
Storage Planning
SSD
RAID
Snapshot
Backup
Security
TLS Certificates
Firewall Rules
RBAC
MFA
LDAP
Active Directory Integration
Installation
Ubuntu
Update System
sudo apt update
sudo apt upgrade -y
Install Docker
Install Docker Compose
Download Wazuh Docker
Start Stack
docker compose up -d
Verify Containers
docker ps
Native Installation
Install Manager
Install Indexer
Install Dashboard
Configure Certificates
Start Services
Linux Commands
Systemctl
systemctl status wazuh-manager
systemctl restart wazuh-manager
systemctl enable wazuh-manager
Docker
docker ps
docker images
docker logs
docker compose up -d
docker compose down
docker exec -it container bash
Logs
tail -f /var/ossec/logs/ossec.log
journalctl -u wazuh-manager
Agent
agent_control -l
agent_control -i
manage_agents
Agent Deployment
Linux
Install Agent
Configure Manager IP
Register Agent
Start Service
Windows
MSI Installation
Register
Verify
macOS
PKG Installation
Register
Mass Deployment
Ansible
Wazuh + Ansible Enterprise Deployment
27 more items...
Puppet
Chef
SCCM
Intune
Agent Configuration
ossec.conf
Log Collection
File Integrity Monitoring
Syscheck
Rootcheck
Active Response
Command Monitoring
SCA
Labels
Custom Rules
Modules
Syscheck
File Integrity Monitoring
Detect File Changes
Detect Permission Changes
Detect Ownership Changes
Detect Hash Changes
Rootcheck
Hidden Processes
Hidden Ports
Rootkits
Suspicious Files
Syscollector
Installed Packages
Running Processes
Network Interfaces
Hardware
Operating System
Vulnerability Detector
CVE Detection
Package Scanning
Logcollector
Collect Logs
Syslog
Apache
Nginx
Authentication Logs
Active Response
Block IP
Kill Process
Disable Account
Firewall Rules
SCA
CIS Benchmark
Security Policies
Rules
Decoders
Parse Logs
Rules
Match Events
Alert Levels
Rule Levels
0
Ignore
1-3
Informational
4-6
Low
7-10
Medium
11-14
High
15
Critical
Custom Rules
Local Rules
Rule Testing
Commands
wazuh-logtest
Decoders
JSON
XML
Syslog
Apache
Nginx
Custom Decoder
File Integrity Monitoring
Monitor
/etc
/home
/var/www
Detect
File Creation
File Deletion
Permission Changes
Ownership Changes
Content Changes
Log Monitoring
Linux Logs
auth.log
syslog
secure
messages
Web Logs
Apache
Nginx
Database Logs
MySQL
PostgreSQL
Application Logs
Docker Logs
Threat Detection
Brute Force
SSH Login Failure
Privilege Escalation
Malware
Rootkit
Hidden Process
Hidden Port
Suspicious Commands
Unauthorized Software
Web Attacks
SQL Injection
XSS
Command Injection
Directory Traversal
Active Response
Firewall Drop
Disable User
Kill Process
Custom Script
Automatic Response
Manual Response
Integrations
VirusTotal
Slack
Email
Active Directory
LDAP
TheHive
Shuffle SOAR
MISP
Suricata
Snort
Zeek
YARA
OpenVAS
Nessus
AWS
Azure
Google Cloud
Enterprise Labs
Lab 1
Install Wazuh
Lab 2
Register Ubuntu Agent
Lab 3
Register Windows Agent
Lab 4
File Integrity Monitoring
Lab 5
SSH Brute Force Detection
Lab 6
Privilege Escalation Detection
Lab 7
Hidden Process Detection
Lab 8
Rootkit Detection
Lab 9
Malware Detection
Lab 10
Unauthorized User Creation
Lab 11
Password File Modification
Lab 12
Apache Log Monitoring
Lab 13
Nginx Monitoring
Lab 14
Docker Monitoring
Lab 15
CIS Compliance Scan
Lab 16
Vulnerability Detection
Lab 17
Active Response Firewall Block
Lab 18
VirusTotal Integration
Lab 19
Suricata Integration
Lab 20
Snort Integration
Lab 21
YARA Integration
Lab 22
OpenVAS Integration
Lab 23
LDAP Authentication
Lab 24
Email Alerting
Lab 25
Dashboard Customization
Lab 26
Rule Creation
Lab 27
Decoder Creation
Lab 28
Threat Hunting
Lab 29
Incident Response
Lab 30
Enterprise Multi-Agent Deployment
Troubleshooting
Agent Offline
Registration Failure
API Failure
Dashboard Login Issues
Certificate Errors
Docker Container Down
Indexer Red
High CPU
High Memory
Rule Not Triggering
Decoder Failure
Best Practices
Principle of Least Privilege
TLS Encryption
RBAC
Backup Configuration
Backup Indices
Monitor Disk Space
Monitor Cluster Health
Regular Updates
Rule Tuning
Reduce False Positives
Secure API
Centralized Logging
Enterprise Implementation Workflow
Requirements Gathering
Asset Inventory
Server Sizing
Architecture Design
Install Manager
Install Indexer
Install Dashboard
Configure TLS
Register Agents
Configure Log Collection
Enable FIM
Enable Rootcheck
Enable Vulnerability Detection
Integrate IDS
Integrate SOAR
Configure Email
Configure Dashboards
Test Detection
Test Active Response
Fine Tune Rules
Production Deployment
Continuous Monitoring
Incident Response
Reporting
Interview Preparation
What is Wazuh
Difference Between SIEM and XDR
Wazuh Components
Wazuh Architecture
Wazuh Agent Workflow
Wazuh Rule Engine
Decoder vs Rule
Active Response
File Integrity Monitoring
Rootcheck
Syscheck
Syscollector
Vulnerability Detection
Wazuh API
Cluster
Agent Registration
TLS Communication
Custom Rules
Custom Decoders
Dashboard
Indexer
Docker Deployment
Native Deployment
High Availability
Enterprise Scaling
Troubleshooting Scenarios
Important Linux Commands
docker ps
docker compose up -d
docker compose down
docker logs
docker exec -it
systemctl status wazuh-manager
systemctl restart wazuh-manager
journalctl -u wazuh-manager
tail -f /var/ossec/logs/ossec.log
manage_agents
agent_control -l
agent_control -i
wazuh-logtest
curl API
netstat
ss -tulnp
tcpdump
iptables
ufw
chmod
chown
find
grep
awk
sed
SOC Workflow
Collect Logs
Normalize Logs
Decode Events
Apply Rules
Generate Alerts
Investigate
Threat Hunt
Contain
Eradicate
Recover
Lessons Learned
File Integrity Monitoring (FIM)
Purpose
Detect Unauthorized File Changes
Monitor
/etc/passwd
/etc/shadow
/etc/sudoers
/var/www/html
Critical Configuration Files
Enterprise Benefit
Detect Backdoors
Detect Unauthorized Changes
Detect Insider Activity
IDS Logs and Monitoring
Suricata Logs
/var/log/suricata/fast.log
/var/log/suricata/eve.json
System Logs
/var/log/messages
journalctl
Useful Commands
sudo tail -f /var/log/suricata/fast.log
sudo tail -f /var/log/suricata/eve.json
sudo journalctl -u suricata
sudo ss -tulpn
SIEM Integration
Wazuh
Alert Correlation
Dashboard Visualization
Compliance Reporting
ELK Stack
Elasticsearch
Logstash
Kibana
Workflow
IDS Alert
Log Collection
SIEM Correlation
Investigation
Response
IDS Tuning
Reduce False Positives
Disable Unnecessary Rules
Customize Rule Sets
Baseline Normal Traffic
Improve Detection
Update Signatures
Monitor Critical Assets
Review Alerts Regularly
Incident Response Process
Alert Received
Validate Alert
Determine Severity
Contain Threat
Investigate Root Cause
Eradicate Threat
1 more item...
Interview Preparation
What is IDS
Intrusion Detection System used to detect malicious activities and generate alerts
Difference Between IDS and IPS
IDS detects and alerts
IPS detects and blocks
Difference Between NIDS and HIDS
NIDS monitors network traffic
HIDS monitors individual hosts
Popular IDS Solutions
Suricata
Snort
Zeek
Wazuh
OSSEC
What is Signature-Based Detection
Detects attacks using predefined signatures
What is Anomaly-Based Detection
Detects deviations from normal behavior
Why Integrate IDS with SIEM
Centralized monitoring
Alert correlation
Faster incident response
Enterprise Best Practices
Deploy multiple IDS sensors
Integrate with SIEM
Monitor critical assets
Update rules regularly
Tune alerts to reduce false positives
Perform continuous threat hunting
IPS
IPS (Intrusion Prevention System) - Enterprise Implementation
IPS (Intrusion Prevention System) - Enterprise Implementation (RHEL/EL10)
IPS Overview
Definition
Monitors network or host activity
Detects malicious behavior
Automatically blocks threats
Works inline with network traffic
Objectives
Prevent attacks before damage occurs
Reduce attack surface
Protect critical assets
Support compliance requirements
Benefits
Real-time protection
Automated response
Improved visibility
Reduced manual intervention
IPS vs IDS
IDS (Intrusion Detection System)
Detects attacks
Generates alerts
Does not block traffic
Passive monitoring
IPS (Intrusion Prevention System)
Detects attacks
Blocks malicious traffic
Active protection
Inline deployment
IPS Types
Network IPS (NIPS)
Monitors network traffic
Protects multiple systems
Deployed at network boundaries
Example: Suricata
Host IPS (HIPS)
Installed on endpoints
Protects individual servers
Monitors system activity
Example: Wazuh Active Response
Wireless IPS (WIPS)
Protects wireless networks
Detects rogue access points
Network Behavior Analysis (NBA)
Detects abnormal traffic patterns
Identifies DDoS attacks
Detects insider threats
Enterprise Architecture
Internet
Firewall
WAF
IPS
Reverse Proxy
Application Servers
Database Servers
Internal Network
Core Switches
IPS Sensors
Critical Servers
Security Monitoring
SOC Integration
SIEM
Threat Intelligence
Incident Response
Security Dashboards
Threats Detected by IPS
Port Scanning
Nmap
Masscan
Vulnerability Scanning
Nessus
OpenVAS
Nikto
Web Attacks
SQL Injection
XSS
Command Injection
File Inclusion
Network Attacks
DDoS
Brute Force
Malware Communication
Exploitation Attempts
Known CVEs
Buffer Overflow
Remote Code Execution
Enterprise IPS Solution on EL10
Suricata
Open-source IPS/IDS
Multi-threaded engine
High performance
Deep packet inspection
Enterprise ready
Features
Signature-based detection
Protocol analysis
File extraction
TLS inspection support
Threat intelligence integration
Installation (EL10)
Update System
sudo dnf update -y
Install EPEL
sudo dnf install epel-release -y
Install Suricata
sudo dnf install suricata -y
Verify Installation
suricata --build-info
suricata -V
Configuration Files
Main Configuration
/etc/suricata/suricata.yaml
Rules Directory
/var/lib/suricata/rules/
Logs Directory
/var/log/suricata/
Update Utility
suricata-update
Network Interface Discovery
Show Interfaces
ip addr
ip link
Identify Monitoring Interface
ens33
eth0
enp0s3
Rule Management
Update Rules
sudo suricata-update
Verify Rules
sudo suricata-update list-sources
Custom Rules
/var/lib/suricata/rules/local.rules
Example Detection Rule
ICMP Detection
alert icmp any any -> any any (msg:"ICMP Detected"; sid:1000001; rev:1;)
Nmap Detection
alert tcp any any -> any any (msg:"Possible Nmap Scan"; flags:S; threshold:type both, track by_src, count 20, seconds 10; sid:1000002; rev:1;)
IPS Mode Configuration
Detection Mode
Alert only
No blocking
Safe for testing
Prevention Mode
Drop malicious packets
Block attacks automatically
Recommended after tuning
Enable IPS Mode
Edit Configuration
sudo nano /etc/suricata/suricata.yaml
Set Interface
af-packet
interface: ens33
copy-mode: ips
copy-iface: ens33
Validate Configuration
sudo suricata -T -c /etc/suricata/suricata.yaml
Service Management
Enable Service
sudo systemctl enable suricata
Start Service
sudo systemctl start suricata
Restart Service
sudo systemctl restart suricata
Service Status
sudo systemctl status suricata
Monitoring and Logs
Fast Log
tail -f /var/log/suricata/fast.log
Eve JSON Log
tail -f /var/log/suricata/eve.json
Search Alerts
grep ALERT /var/log/suricata/fast.log
Journal Logs
sudo journalctl -u suricata
Testing IPS
Ping Test
ping target_ip
Port Scan Detection
nmap -sS target_ip
Web Scan Detection
nikto -h
http://target_ip
Verify Alerts
Check fast.log
Check eve.json
Enterprise Tuning
Reduce False Positives
Disable noisy rules
Tune thresholds
Create exceptions
Performance Optimization
Increase CPU threads
Allocate memory properly
Use dedicated monitoring interfaces
Change Management
Test rules before production
Document modifications
Maintain rollback plan
Integration with SIEM
Wazuh
Forward eve.json
Create dashboards
Correlate events
ELK Stack
Elasticsearch
Logstash
Kibana
SOC Monitoring
Alert triage
Incident investigation
Threat hunting
Operational Workflow
Traffic Arrives
Suricata Inspects Packets
Rule Matching
Threat Identified
Alert Generated
Packet Dropped
Event Logged
SIEM Receives Event
SOC Investigation
Hardening
Restrict Shell Access
Regular Rule Updates
Backup Configuration
Secure Log Storage
Enable Audit Logging
Monitor Resource Usage
Troubleshooting
Validate Configuration
sudo suricata -T -c /etc/suricata/suricata.yaml
Check Service
systemctl status suricata
Review Logs
journalctl -xe
Verify Interface
ip addr
Confirm Rule Loading
suricata-update
Interview Preparation
What is IPS
Intrusion Prevention System
Detects and blocks attacks in real time
Difference Between IDS and IPS
IDS alerts
IPS alerts and blocks
Why Suricata
Open source
High performance
Multi-threaded
Enterprise deployment
Detection Methods
Signature Based
Anomaly Based
Behavior Based
IPS Deployment Locations
Perimeter Network
Data Center
DMZ
Internal Segmentation
Common Commands
suricata -V
suricata --build-info
suricata-update
suricata -T -c /etc/suricata/suricata.yaml
systemctl status suricata
Enterprise Best Practice
Start in Detection Mode
Tune Rules
Monitor False Positives
Move to Prevention Mode
Integrate with SIEM
Continuous Rule Updates
Enterprise Best Practice Summary
Firewall filters traffic
WAF protects web applications
IPS blocks malicious network traffic
SIEM centralizes visibility
SOC investigates incidents
Layered Security Approach
Firewall
WAF
IPS
EDR
SIEM
Threat Intelligence