Back to Projects

Home Lab: Wazuh + Suricata + ELK

A comprehensive home lab setup for learning detection engineering and SIEM management.

WazuhSuricataElasticsearchKibanaDocker Compose

Problem

Theory is not enough. I needed hands-on experience with configuring a SIEM, writing detection rules, and analyzing network traffic.

Approach

I deployed a full security stack on a Proxmox server:

  1. Wazuh: Host-based Intrusion Detection (HIDS) and SIEM.
  2. Suricata: Network Intrusion Detection (NIDS) running on a mirrored port (SPAN).
  3. ELK Stack: For log aggregation and visualization.
  4. Kali Linux: Used as the attacker machine to generate alerts.

Tools

  • Docker Compose: For orchestrating the stack.
  • Proxmox: Virtualization.
  • PfSense: Firewall and network segmentation.

Output & Impact

  • Successfully detected Nmap scans, brute force attacks, and reverse shells.
  • Wrote custom Wazuh rules to detect specific file modifications.
  • Gained deep appreciation for the noise vs. signal problem in SOCs.

What I Learned

  • Default configurations are noisy. Tuning is 80% of the work.
  • Understanding the network flow is prerequisite to understanding network security.