Setup Suricata in IDS mode (and IPS if needed) to protect a simulated industrial network.
+-----+ +-----+ +-----+
| A | | B | | U |
+-----+ +-----+ +-----+
\ / /
\ /---------
\ /
+-----+ +-----+
| S | --------- | M |
+-----+ +-----+
⇅ /
.~~~~~~~~~~~. /
.~~ INTERNET ~~.
'~~~~~~~~~~~~~~~~~~~'
S is the main router and sniffs the forwarded packets to find potential threats using Suricata. The ruleset is defined in custom.rules. To use it, you need to uncomment "suricata-update" in start.sh.
- Build and start the services:
Alternatively, you can use Docker Compose directly:
make
docker-compose up -d --build
- Access the GUI: The GUI is accessible at http://localhost:3000
The scripts to run from the Malicious container (M) are in the scripts/ folder. These scripts should make requests to the internal network for Suricata to see the traffic. U is an unauthorized host, and its requests will be flagged with the current rules.
The GUI is accessible at http://localhost:3000.
The data is from Elasticsearch. To create the dashboard:
- Make a new connection to an Elasticsearch origin:
http://elasticsearch:9200 - Create the dashboard from there.
This project is licensed under the GNU Affero General Public License v3.0 - see the LICENSE file for details.