🛰️ Network detection (NIDS/NDR)
Suricata
High-performance open-source IDS/IPS with deep protocol inspection.
Why use it
Suricata is the modern multi-threaded successor to Snort. It detects network attacks via signature rules, generates rich protocol logs (HTTP, TLS, DNS, SMB, more), and can run inline as an IPS. The Cyentrix team uses it as the wire-level eyes for every home SOC.
What you get
- Signature-based IDS/IPS with ET Open ruleset (free)
- Protocol logs (eve.json) covering HTTP, TLS, DNS, SMB, FTP, more
- TLS metadata and JA3 fingerprinting
- File extraction from streams
- Lua scripting for custom detection logic
System requirements
| Cpu | 4 cores (more for inline) |
|---|---|
| Ram | 4 GB minimum |
| Disk | 20 GB+ for logs |
| Os | Linux |
| Docker | Yes |
Installation
On Ubuntu: sudo add-apt-repository ppa:oisf/suricata-stable && sudo apt install suricata. Configure a single sniffing interface in /etc/suricata/suricata.yaml. Pull the ET Open rules: sudo suricata-update, then sudo systemctl restart suricata.
Suggested configuration
Run AF_PACKET on a SPAN/mirror port, not your main NIC, for production-shaped signal. Tune the ET Open ruleset by disabling categories you don't care about (policy, info) — start lean and re-enable. Forward eve.json to your SIEM via Filebeat.
Integration ideas
- Ship eve.json to Wazuh, Elastic, or Graylog
- Pair with Zeek for protocol metadata + signatures together
- Feed alerts to TheHive for case management
- Use with Arkime for full-PCAP context on Suricata alerts
Alternatives
- Zeek — Better protocol metadata, no native signatures.
- Snort 3 — Now competitive; Suricata still leads on multi-threading.
Cyentrix verdict
The default network IDS for homelab SOCs. Get a SPAN port set up before you install — without one, you're just monitoring your scanner host's own traffic.