Network Detection with Suricata and Zeek

Suricata fires alerts when packets match signatures. Zeek logs structured behavioural records regardless of whether anything was malicious. They answer different questions: "did anything known-bad happen?" versus "what actually happened on the wire?" Production stacks run both because each catches what the other misses.

VPS hosting offers no SPAN ports. Three workable patterns:

• • Inline gateway — protected hosts route through a small VPS that sees all traffic. Highest fidelity, adds latency.
• • WireGuard tap — mirror traffic over a dedicated WireGuard tunnel from each monitored host to the detection zone using tc mirroring.
• • Honeypot egress mirror — iptables -j TEE --gateway 10.88.0.20 on T-Pot duplicates outbound traffic to the detection VPS.

net.core.rmem_max = 268435456
net.core.netdev_max_backlog = 250000
net.ipv4.tcp_rmem = 4096 87380 134217728
vm.nr_hugepages = 256

Increase the NIC ring buffer where supported: ethtool -G eth0 rx 4096.

• • ET Open — free, broad coverage, the default starting point.
• • ET Pro — paid, higher-fidelity ransomware and APT signatures.
• • Custom local rules — at /etc/suricata/rules/local.rules; these win when MISP exports IOCs in Part 5.

Schedule suricata-update nightly; reload with suricatasc -c reload-rules rather than restarting.

EVE JSON is the canonical output. Use thresholds to suppress noisy signatures rather than disabling them outright:

# Drop noisy ET INFO rules to once per minute per source
suppress gen_id 1, sig_id 2013505, track by_src
threshold gen_id 1, sig_id 2100366, type both, track by_src, count 5, seconds 60

echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_24.04/ /' \
  > /etc/apt/sources.list.d/zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_24.04/Release.key \
  | gpg --dearmor -o /etc/apt/keyrings/zeek.gpg
apt update && apt install -y zeek
echo 'export PATH=/opt/zeek/bin:$PATH' >> /etc/profile.d/zeek.sh

Configure /opt/zeek/etc/node.cfg with one worker per CPU core.

zkg install salesforce/ja3
zkg install foxio/ja4
zkg install corelight/zeek-spicy-ldap
zkg install zeek/intel-ext

JA3 and JA4 hash TLS handshakes for client fingerprinting; combined with MISP-supplied lists they catch malware families regardless of IP rotation.

Zeek's intel framework consumes a tab-separated file of indicators and fires intel.log entries on hits. We will write that file from MISP in Part 5; for now create the loader stub:

@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += { "/opt/zeek/intel/misp.intel" };

• • Pin Suricata workers and Zeek workers to disjoint CPU sets with taskset.
• • Use af-packet with cluster_flow so flows stay sticky to a worker.
• • Cap Zeek packet capture filter to ports of interest if traffic exceeds CPU.

Filebeat is the cleanest path for both engines:

filebeat.inputs:
  - type: filestream
    paths: [/var/log/suricata/eve.json]
    parsers: [{ ndjson: { keys_under_root: true } }]
  - type: filestream
    paths: [/opt/zeek/logs/current/*.log]
output.logstash:
  hosts: ["10.88.0.40:5044"]

From a throwaway VPS, run curl http://testmynids.org/uid/index.html through the inline gateway. Suricata should fire ET TROJAN signature 2024897; Zeek's http.log should record the request. If both show up, you are ready for Part 5.