Vaughan8842/suricata-home-lab

# Suricata Home Lab — Live Network IDS on Raspberry Pi A live, production home network security monitoring system built and operated by Christopher Vaughan. This is not a lab simulation — it runs 24/7, monitors real traffic, and sends real alerts. ## Overview | Item | Detail | |------|--------| | **Hardware** | Raspberry Pi (passive monitoring on `eth0`) | | **IDS Engine** | Suricata — passive detection only, no blocking | | **Network** | Home subnet `172.16.0.0/24` | | **Remote Access** | Twingate Zero Trust VPN | | **Alert Delivery** | Real-time email + daily summary report | | **Rule Management** | Custom whitelist with documented suppression rationale | ## Architecture Home Network (172.16.0.0/24) │ ├── 172.16.0.1 — Router ├── 172.16.0.191 — Raspberry Pi (Suricata + Twingate) └── other devices (phones, TVs, IoT) │ ▼ [ Suricata IDS ] Monitors all traffic on eth0 Logs to /var/log/suricata/fast.log │ ┌───────┴────────┐ ▼ ▼ suricata-watcher Daily Report (real-time) (7:00 AM cron) │ │ └────────┬────────┘ ▼ Email alert to Gmail ## Components Built ### 1. Suricata IDS - Installed and configured on Raspberry Pi to passively monitor all traffic on `eth0` - `HOME_NET` set to `172.16.0.0/24` - Rule updates managed via `suricata-update` - Fixed default rules path misconfiguration in `suricata.yaml` (default points to wrong path — would silently load 0 rules) ### 2. Real-Time Alert Watcher (`suricata-alert-watcher.sh`) A custom Bash script running as a `systemd` service that: - Tails `fast.log` continuously with `tail -F` - Filters out known-normal traffic via `grep -qE` pattern matching - Deduplicates alerts by rule ID — suppresses repeat emails for 1 hour per rule - Sends an immediate email on any unrecognized alert - Resets deduplication state on reboot (uses `/tmp/` for the sent-alerts log) - Restarts automatically on crash (`Restart=always` in unit file) # Service management sudo systemctl status suricata-watcher sudo systemctl restart suricata-watcher ### 3. Daily Summary Report (`suricata-daily-report.sh`) A cron job (7:00 AM daily) that emails: - All Suricata alerts from the past 24 hours - Top DNS queries seen on the network - Unique source IPs observed ### 4. Twingate Zero Trust VPN - Deployed Twingate Connector on the Pi for remote administration - Configured resource access policies and group-based access controls - Enables SSH and management access from anywhere without opening firewall ports - **Note:** NordVPN and Twingate conflict — run only one at a time ## Rule Tuning — Whitelist Log Evaluated every triggered alert, researched the rule, and documented the suppression decision. This mirrors Tier 1 SOC rule management workflows. | Rule ID | Alert Name | Source | Reason Suppressed | |---------|-----------|--------|-------------------| | 2016149 | ET INFO STUN Binding Request | Pi (Twingate) | Normal Twingate NAT traversal | | 2016150 | ET INFO STUN Binding Response | Twingate servers | Normal Twingate NAT traversal | | 2260002 | Twingate traffic | Pi | Normal Twingate operation | | 2227001 | SURICATA DHCP truncated options | Router (172.16.0.1) | Consumer router DHCP implementation quirk — not malicious | | 2065070 | ET INFO RMM Domain DNS (pubnub.com) | Pi | Twingate uses PubNub for control plane signaling — normal | | 2013504 | ET INFO GNU/Linux APT User-Agent | Pi → Ubuntu servers | Ubuntu package manager update traffic, classified "Not Suspicious" | | 2200078 | SURICATA UDPv6 invalid checksum | mDNS (port 5353) | NIC checksum offloading false positive — Suricata captures before NIC fills in checksum | | 2210044 | SURICATA STREAM invalid timestamp | AWS (Twingate relay) → Pi | TCP timestamp drift on long-lived HTTPS connections — P3 informational, not an attack | **Total rules evaluated and suppressed: 8** **Methodology:** For each alert — identify rule ID, research the signature, correlate source IP and destination against known network baseline, document rationale before suppressing. ## Known Network Baseline Expected traffic that is normal on this network: | Source/Destination | Traffic | Reason | |-------------------|---------|--------| | `172.16.0.191` → `stun.sfo2.twingate.com` | STUN requests | Twingate NAT traversal | | `172.16.0.191` → `91.189.92.x` | APT traffic | Ubuntu update servers | | `172.16.0.191` → `smtp.gmail.com` | SMTP | Alert email delivery | | `172.16.0.191` → `rules.emergingthreat.net` | HTTP | Suricata rule updates | | `172.16.0.1` → broadcast | DHCP | Router DHCP server | | `fe80::` → `ff02::` port 5353 | mDNS | Local device discovery (Avahi/Bonjour) | ## Tech Stack - **OS:** Raspberry Pi OS (Linux) - **IDS:** Suricata - **Scripting:** Bash - **Process Management:** systemd - **Remote Access:** Twingate Zero Trust VPN - **Email:** msmtp + Gmail App Password (SMTP port 587) - **Scheduling:** cron ## Skills Demonstrated - Deployed and configured a live IDS on real hardware - Wrote production Bash automation with error handling and deduplication logic - Managed a systemd service (install, enable, restart, troubleshoot) - Performed alert triage and rule tuning using the same methodology as Tier 1 SOC work - Maintained a structured, documented whitelist — not just "suppress and forget" - Built and configured a Zero Trust VPN for secure remote access - Established and documented a network traffic baseline