This lab guides you through deploying Suricata on a Linux sensor, configuring it to monitor a SPAN port, and writing a custom rule to detect and alert on Nmap SYN scans targeting your network.
The sensor's monitoring interface must be configured without an IP address and set to promiscuous mode so it can capture all traffic passing through the SPAN port.
💡 Pro-tip: Use ethtool -K eth1 gro off lro off to disable hardware offloading on the capture interface. Offloading can combine packets, confusing the IDS reassembly engine.
This ensures the NIC passes every frame to the CPU, allowing Suricata to analyze the raw network traffic stream.
Create a custom rule that triggers when it detects a high volume of SYN packets without corresponding ACKs, a hallmark of a port scan.
⚠️ When testing rules, use a PCAP replay tool like tcpreplay rather than scanning your live production network, which could trigger automated blocking mechanisms or disrupt services.
| Component | Config File | Action |
|---|---|---|
| Interface | suricata.yaml | Set promiscuous: yes |
| Rules | custom.rules | Add scan detection rule |
| Logging | eve.json | Monitor alerts |
Verify exercises to earn ★ 240 XP and unlock next lab level.