Suricata Inline IDS Lab
Student Guide & Workbook
Learning Objectives
Understand inline IDS deployment architecture
Analyze signature-based detection rules
Map security alerts to CISSP Kill Chain phases
Perform SOC analyst triage and incident response
Network Topology
Attacker
172.20.10.2
eth1
IDS Router
Inline
eth2
Target
172.20.20.4
Lab Access
| Terminal | URL Pattern | Description |
|---|---|---|
| Attacker | https://labs.cyberpathinsight-uk.com/labs/student[N]/attacker/ |
Ubuntu with Nmap, Nikto, Curl |
| IDS | https://labs.cyberpathinsight-uk.com/labs/student[N]/ids/ |
Suricata IDS/IPS, Logs |
| Target | https://labs.cyberpathinsight-uk.com/labs/student[N]/target/ |
Web Server, SSH, Vulnerable Services |
Detection Rules
| Rule ID | Description | Threshold |
|---|---|---|
| 9000001 | ICMP Ping Sweep | - |
| 9000002 | TCP SYN Scan | > 12 SYNs / 3 seconds |
| 9000003 | SSH Probe (Port 22) | - |
| 9000004 | HTTP GET Request (Port 8080) | - |
| 9000005 | Nikto User-Agent Signature | - |
Lab Exercises
1
Network Discovery
10 min
Attacker:
nmap -sn 172.20.20.0/24IDS:
Watch for 9000001 alerts in fast.log
Question: How many active hosts were discovered?
2
Port Scanning
15 min
Attacker:
nmap -sS -T4 172.20.20.4 -p 1-100
IDS:
Watch for 9000002 alerts
Question: What specific behavior triggers the threshold?
3
Service Enumeration
10 min
Attacker:
nmap -p 22,80,8080 172.20.20.4IDS:
Watch for 9000003 alerts
Question: Is SSH running on the target?
4
Web Application Probing
10 min
Attacker:
curl http://172.20.20.4:8080IDS:
Watch for 9000004 alerts
Question: What HTTP methods trigger this alert?
5
Automated Scanning
10 min
Attacker:
curl -A "Nikto/2.1.6" http://172.20.20.4:8080IDS:
Watch for 9000005 AND 9000004
Question: Why did TWO rules trigger for a single request?
SOC Analyst Scenario
You observe the following alerts within a 5-minute window:
50x
[9000001] ICMP Ping Sweep
200x
[9000002] TCP SYN Scan
10x
[9000005] Nikto User-Agent
What is your immediate action?
Lab Completion
All 5 rules triggered
Attack timeline documented
Assessment completed
SOC scenario analyzed
Student: ________________
Date: ________________
Score: ____/100