RamNode logo
    Sign UpLogin
    6-Part Tutorial Series

    Threat Intelligence Platform Stack Mastery

    Deception, network detection, threat intelligence management, and SIEM with automated response — six VPS, one cohesive SecOps stack, fully self-hosted on RamNode.

    Multi-VPS, defense in depth
    ~7 hours total
    6 parts
    Start Part 1

    Part 1: Architecture, Foundation & Cross-VPS Networking

    60 min

    Four-zone multi-VPS architecture, hardened Ubuntu 24.04 baseline, WireGuard mesh, internal step-ca, Caddy bastion, restic backups, and the webhook alerting baseline every later part reuses.

    Part 2: T-Pot Honeypot Platform Deployment

    75 min

    Stand up T-Pot 24.04 as the primary deception layer — Cowrie, Dionaea, Honeytrap, Conpot, the Mailoney question on RamNode, and EVE-JSON forwarding to the detection zone.

    Part 3: Beelzebub, LLM-Powered Deception

    55 min

    Modern AI-driven honeypot for SSH, HTTP, and MCP — Ollama vs API backends, persona pinning, MCP attack capture, and layering cleanly alongside T-Pot.

    Part 4: Network Detection with Suricata and Zeek

    80 min

    Signature IDS plus behavioural network analysis — VPS traffic acquisition patterns, AF_PACKET tuning, ET Open rules, Zeek scripts, JA4, and shipping logs to Wazuh.

    Part 5: MISP, Threat Intelligence Management & Sharing

    80 min

    Deploy MISP via Docker Compose, ingest CIRCL/abuse.ch/OTX feeds, build PyMISP ingestion from Cowrie and Beelzebub, and export to Suricata, Zeek intel, and Wazuh CDB lists.

    Part 6: Wazuh SIEM and Cross-Stack Automation

    90 min

    Wazuh manager/indexer/dashboard, custom decoders for honeypot logs, MISP CDB integration, webhook alerts, active response, and the end-to-end automation pipeline that ties the stack together.

    What You'll Build

    Deception Zone

    • • T-Pot 24.04 with the full honeypot suite
    • • Beelzebub LLM-driven SSH, HTTP, and MCP honeypots
    • • Realistic attacker telemetry from day one
    • • Webhook alerting, never email

    Detection Zone

    • • Suricata signature IDS with ET Open + custom rules
    • • Zeek behavioural logging with JA3/JA4
    • • AF_PACKET tuning sized for VPS workers
    • • MISP-driven Zeek intelligence framework

    Intelligence Zone

    • • MISP via Docker Compose
    • • CIRCL, abuse.ch, OTX, ET feeds
    • • PyMISP ingestion from honeypot captures
    • • Suricata, Zeek, and Wazuh CDB exports

    Operations Zone

    • • Wazuh manager, indexer, dashboard
    • • Custom decoders for honeypot and IDS logs
    • • Active response and webhook integrations
    • • End-to-end automation pipeline

    Prerequisites

    • • Comfort with Ubuntu 24.04 LTS server administration and systemd
    • • Docker and Docker Compose familiarity
    • • TCP/IP networking, including WireGuard or other VPN mesh concepts
    • • Basic understanding of TLS, reverse proxies (Caddy or Nginx), and DNS
    • • Familiarity with security operations terminology (IOC, TTP, MITRE ATT&CK, SIEM, IDS)
    • • Comfort reading and modifying YAML, JSON, and Python

    Recommended Bill of Materials (5 VPS)

    T-Pot host

    Premium 16 GB / 200 GB

    Wazuh manager

    Premium 16 GB / 200 GB

    MISP host

    Standard 8 GB / 100 GB

    Suricata + Zeek

    Standard 4 GB / 80 GB

    Beelzebub

    Standard 2 GB / 40 GB

    Management / bastion

    Standard 2 GB / 40 GB