📌 Project Overview
This project documents the complete setup of a home-based Security Operations Center (SOC) using a Raspberry Pi Zero 2 W as an Intrusion Detection System (IDS) with Suricata, forwarding logs via rsyslog to a Splunk Enterprise SIEM instance. This implementation demonstrates practical skills in network security monitoring, threat detection, log management, and Blue Team operations in a real-world environment.
🎯 Project Objectives
- Deploy a production-ready network IDS for real-time threat detection
- Implement centralized log collection and analysis using industry-standard SIEM
- Create custom dashboards for security monitoring and threat hunting
- Gain hands-on experience with Blue Team tools and methodologies
- Develop skills in alert tuning, rule management, and incident response
- Build a foundation for advanced threat intelligence integration
🏗️ System Architecture
┌─────────────────────────────────────────────────────────┐
│ Home Network │
│ (10.0.0.0/24) │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Laptop │ │ Phone │ │ IoT │ │
│ │ │ │ │ │ Device │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │
│ └─────────────┴─────────────┘ │
│ │ │
│ ┌──────▼──────┐ │
│ │ Router │ │
│ │ 10.0.0.1 │ │
│ └──────┬──────┘ │
│ │ │
│ ┌──────▼──────────────────────┐ │
│ │ Raspberry Pi Zero 2 W │ │
│ │ (Suricata IDS) │ │
│ │ 10.0.0.153 │ │
│ │ │ │
│ │ • Captures traffic │ │
│ │ • Analyzes packets │ │
│ │ • Generates EVE JSON logs │ │
│ │ • Applies ET Open rules │ │
│ └──────┬──────────────────────┘ │
│ │ │
│ │ rsyslog TCP 1514 │
│ │ │
│ ┌──────▼──────────────────────┐ │
│ │ Windows PC │ │
│ │ (Splunk Enterprise) │ │
│ │ 10.0.0.X │ │
│ │ │ │
│ │ • Receives logs │ │
│ │ • Indexes & parses data │ │
│ │ • Dashboards & alerts │ │
│ │ • Threat hunting queries │ │
│ └─────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────┘
⚙️ Technical Specifications
IDS Hardware
Raspberry Pi Zero 2 W
MicroSD Card (32GB)
Power Supply (5V/2.5A)
Static IP: 10.0.0.153
MicroSD Card (32GB)
Power Supply (5V/2.5A)
Static IP: 10.0.0.153
IDS Software
Raspberry Pi OS Lite
Suricata 6.x/7.x
rsyslog (TCP forwarding)
ET Open Ruleset
Suricata 6.x/7.x
rsyslog (TCP forwarding)
ET Open Ruleset
SIEM Platform
Splunk Enterprise 9.x
Windows 10/11 Host
TCP Input: Port 1514
Custom Dashboards
Windows 10/11 Host
TCP Input: Port 1514
Custom Dashboards
Network Config
Mirror Port / SPAN
Gateway: 10.0.0.1
DNS: Cloudflare 1.1.1.1
SSH Remote Access
Gateway: 10.0.0.1
DNS: Cloudflare 1.1.1.1
SSH Remote Access
🔧 Implementation Process
1Raspberry Pi Initial Setup
Prepare the Raspberry Pi with SSH access and static networking:
# Update system packages
sudo apt update && sudo apt full-upgrade -y
# Install essential tools
sudo apt install -y vim htop net-tools tcpdump
# Configure static IP (using NetworkManager)
sudo nmtui
# Set: IP 10.0.0.153/24, Gateway 10.0.0.1, DNS 1.1.1.1
# Verify network configuration
ip addr show
ping -c 4 8.8.8.82Install and Configure Suricata
Deploy Suricata IDS for network traffic analysis:
# Install Suricata
sudo apt install -y software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install -y suricata
# Verify installation
suricata --build-info
# Update Emerging Threats Open ruleset
sudo suricata-update
sudo suricata-update list-sources
sudo suricata-update enable-source et/open
sudo suricata-update3Configure Suricata EVE JSON Logging
Edit /etc/suricata/suricata.yaml to enable comprehensive logging:
# Key configuration sections:
# Network interface (adjust to your interface)
af-packet:
- interface: eth0
threads: auto
cluster-type: cluster_flow
# EVE JSON output configuration
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert:
tagged-packets: yes
- http:
extended: yes
- dns:
query: yes
answer: yes
- tls:
extended: yes
- files:
force-magic: yes
- ssh
- flow
- netflow
# Restart Suricata
sudo systemctl restart suricata
sudo systemctl status suricata
# Monitor logs
sudo tail -f /var/log/suricata/eve.json4Configure rsyslog for Log Forwarding
Forward Suricata logs to Splunk via TCP:
# Create rsyslog configuration file
sudo nano /etc/rsyslog.d/30-suricata.conf
# Add the following content:
# Forward Suricata EVE JSON logs to Splunk
module(load="imfile")
input(type="imfile"
File="/var/log/suricata/eve.json"
Tag="suricata"
Severity="info"
Facility="local7")
# Forward to Splunk (replace with your Splunk IP)
*.* @@10.0.0.X:1514
# Restart rsyslog
sudo systemctl restart rsyslog
sudo systemctl status rsyslog
# Test connectivity
nc -zv 10.0.0.X 15145Splunk Enterprise Configuration
Set up Splunk to receive and parse Suricata logs:
# 1. Install Splunk Enterprise (Windows)
# Download from: https://www.splunk.com/
# 2. Create TCP Data Input
Settings → Data Inputs → TCP → New Local TCP
Port: 1514
Source Type: _json (or create custom sourcetype)
Index: suricata (create new index)
# 3. Verify data ingestion
# In Splunk Search:
index=suricata | head 10
# 4. Parse JSON fields
index=suricata | spath
# 5. Search by event type
index=suricata event_type=alert
index=suricata event_type=dns
index=suricata event_type=http
index=suricata event_type=tls6Create Splunk Dashboards
Build custom dashboards for security monitoring:
# Dashboard 1: Event Type Distribution
index=suricata
| stats count by event_type
| sort -count
# Dashboard 2: Top Alerts (Last 24h)
index=suricata event_type=alert
| stats count by alert.signature
| sort -count
| head 20
# Dashboard 3: DNS Query Analysis
index=suricata event_type=dns
| stats count by dns.query
| sort -count
# Dashboard 4: HTTP Traffic Overview
index=suricata event_type=http
| stats count by http.hostname, http.http_method
| sort -count
# Dashboard 5: Suspicious IPs
index=suricata event_type=alert
| stats count by src_ip, dest_ip, alert.severity
| where alert.severity=1 OR alert.severity=2
⚠️ Privacy Considerations
When sharing screenshots or logs publicly, always mask sensitive information including: IP addresses (both internal and external), domain names, hostnames, and any personally identifiable information (PII). Use tools like image editors or Splunk's built-in anonymization features.
🔍 Threat Detection Capabilities
The Mini-SOC provides real-time detection for various security events:
Network Protocol Analysis
- DNS: Query logging, tunneling detection, DGA identification
- HTTP/HTTPS: Suspicious user agents, C2 communication patterns
- TLS/SSL: Certificate validation, cipher suite analysis
- SSH: Brute force attempts, unusual authentication patterns
- TCP/UDP: Port scanning, DDoS indicators, unusual flows
Threat Categories Detected
- Malware communication (C2 callbacks, beaconing)
- Exploit attempts and vulnerability scanning
- Data exfiltration patterns
- Lateral movement indicators
- Suspicious IoT device behavior
- Known malicious IPs and domains (ET Open rules)
📊 Results and Capabilities
✅ Current Capabilities
- ✅ Real-time network traffic monitoring across all devices
- ✅ Automated threat detection using 30,000+ ET Open rules
- ✅ Centralized log collection with 500MB+ daily ingestion
- ✅ Custom dashboards for traffic analysis by protocol
- ✅ Alert visualization with severity classification
- ✅ DNS query logging and analysis for IoT devices
- ✅ Suspicious flow detection and anomaly identification
- ✅ Full-packet capture capability for forensic analysis
Key Metrics Tracked
Traffic Volume
Daily Events: 10,000+
Protocols: 15+ types
Devices Monitored: All network endpoints
Protocols: 15+ types
Devices Monitored: All network endpoints
Alert Statistics
Rules Active: 30,000+
False Positives: Tuned
Severity Levels: 1-3
False Positives: Tuned
Severity Levels: 1-3
Performance
Latency: < 100ms
Packet Loss: < 0.1%
CPU Usage: 30-50%
Packet Loss: < 0.1%
CPU Usage: 30-50%
Storage
Log Retention: 30 days
Index Size: ~15GB
Compression: Enabled
Index Size: ~15GB
Compression: Enabled
📸 Project Screenshots
Visual documentation of the Mini-SOC implementation (IPs masked for privacy):
