Lab 05 — Alert on Real Malicious Traffic¶
Hands-on lab · ← Back to the module concept
Setup¶
git clone https://github.com/plaintext-security/plaintext-labs
cd plaintext-labs/defensive/05-intrusion-detection
make up
Run make demo to parse a small curated seed data/eve.json — 9 realistic
Suricata alerts covering Cobalt Strike beaconing, AsyncRAT C2 checkin, a
PowerShell dropper download, DGA DNS queries, and a large outbound data
transfer. The seed lets the demo run fully offline. The demo outputs a
severity summary, top signatures, involved hosts, and a custom rule template.
For the full real-traffic exercise, fetch a public malicious capture and run Suricata over it:
make fetch-data # downloads a real Malware-Traffic-Analysis.net PCAP and
# runs Suricata (ET Open ruleset) over it → data/eve.json
python3 parse_alerts.py data/eve.json
make fetch-data pulls a specific dated MTA.net capture (NetSupport RAT C2),
unzips it with the site's infected password, and runs suricata -r with the
Emerging Threats Open ruleset — see data/PROVENANCE.md
for the exact source URL, the pipeline, and the write-up to check your alerts
against. To use a different capture, set PCAP=your-capture.pcap make suricata.
Scenario¶
Run an IDS over a real malicious capture, read the alerts, and confirm them against the known-bad write-up.
Do¶
- [ ] Update the Emerging Threats ruleset, then run Suricata over the malicious PCAP.
- [ ] Read
eve.json/fast.log: what alerts fired, and what technique or malware do they name? - [ ] Correlate the alerts with the site's write-up — did Suricata catch the real activity?
- [ ] Write one simple custom rule (e.g. alert on a specific domain or user-agent from the capture) and confirm it fires.
Success criteria — you're done when¶
- [ ] Suricata produced alerts on the real malicious traffic.
- [ ] You can explain at least two alerts and tie them to the write-up.
- [ ] Your custom rule fires on the intended traffic.
Deliverables¶
ids.md: the notable alerts, how they match the write-up, and your custom rule.
AI acceleration¶
Have a model explain an unfamiliar alert signature or draft your custom rule — then verify it fires correctly against the PCAP. A rule you can't test is a guess.
Connects forward¶
Suricata alerts flow into the SIEM (module 06) and the detection-as-code workflow (module 08); network indicators tie to module 12 (hunting).
Marketable proof¶
"I run Suricata with community rulesets over real malicious traffic, interpret the alerts, and write and test custom rules."
Automate & own it¶
Required. Script a pass over Suricata's eve.json that summarises alerts by signature and
severity (AI drafts, you verify against the raw output); commit it.
Stretch¶
- Run Suricata in IPS mode and explain what changes — and the risk of blocking on a false positive.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).