This project demonstrates end-to-end detection of a multi-stage cyber attack using the Suricata Intrusion Detection System (IDS).
A controlled lab environment was built to simulate a real-world attack scenario. The attack chain included:
- 🔍 Network reconnaissance (Nmap scanning)
- 🔎 Service enumeration
- 💣 Exploitation of a vulnerable FTP service (vsftpd 2.3.4)
- 🖥 Post-exploitation shell access
- 📊 Log analysis and attack reconstruction using Suricata
The primary objective was to detect, log, and correlate each stage of the attack using Suricata alerts.
- Configure and deploy Suricata IDS in a virtual lab
- Simulate a complete attack chain from reconnaissance to compromise
- Capture and analyze IDS logs
- Reconstruct the attack timeline
- Map attack behavior to MITRE ATT&CK techniques
The lab consisted of three virtual machines connected via a NAT network:
| Machine | Role | IP Address |
|---|---|---|
| Kali Linux | Attacker | 192.168.84.137 |
| Metasploitable 2 | Victim | 192.168.84.136 |
| Ubuntu | Suricata IDS Sensor | 192.168.84.135 |
Attacker (Kali) → Victim (Metasploitable)
Suricata monitored network traffic and generated alerts.
The attacker performed a TCP SYN scan:
nmap -sS -A 192.168.84.136✅ Suricata detected:
- TCP SYN scan behavior
- Multiple port access attempts
- Nmap scanning signatures
Open services discovered included:
- FTP (vsftpd 2.3.4)
- SSH
- Telnet
- Apache Web Server
The FTP service was identified as vulnerable.
Metasploit module used:
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST 192.168.84.136
exploit✅ Result:
- Backdoor triggered
- Root shell access obtained
Commands executed:
whoami
uname -aConfirmed root-level access on the victim system.
Suricata generated logs in:
/var/log/suricata/fast.log
/var/log/suricata/eve.json
- ET SCAN Nmap Scripting Engine User-Agent Detected
- ET SCAN Potential Nmap Scan
- FTP service activity alerts
- TCP SYN scan detection alerts
Log analysis was performed using:
grep
jq
catEach alert was correlated with the corresponding attack stage to reconstruct the complete attack timeline.
| Attack Stage | Technique | ID |
|---|---|---|
| Port Scanning | Network Service Discovery | T1046 |
| Exploitation | Exploit Public-Facing Application | T1190 |
| Command Execution | Command Shell | T1059 |
| Initial Access | External Remote Services | T1133 |
This demonstrates alignment with real-world adversary behaviors.
- Suricata successfully detected reconnaissance and exploitation activity.
- Clear correlation between scanning activity and exploitation attempt.
- Structured logs (eve.json) enabled effective attack reconstruction.
- IDS signatures were effective against known vulnerabilities.
- Suricata IDS
- Kali Linux
- Metasploit Framework
- Metasploitable 2
- Nmap
- Linux CLI tools (grep, jq)
- VirtualBox / VMware
- Hands-on IDS deployment and configuration
- Real-time traffic monitoring
- Multi-stage attack detection
- Log analysis and incident reconstruction
- Understanding attacker methodology
- Applying MITRE ATT&CK framework
This project demonstrates practical knowledge of:
- Intrusion Detection Systems
- Network traffic analysis
- Attack simulation
- Security monitoring and threat detection
The lab successfully captured and reconstructed a full attack chain, showcasing fundamental Blue Team and SOC-level skills.
This project was conducted in a controlled lab environment for educational and research purposes only.