# Suricata POC - Detecting SSH Bruteforces 05-26-2025 Tags: #Suricata #Grafana #Graylog #Hydra Links: [[Building a SIEM - 4 - Graylog Inputs, Wazuh Tuning, and Agents]], [[Building a SIEM - 5 - Building a Grafana Dashboard]] --- **Table of Contents** - [[#Intro|Intro]] - [[#Objective|Objective]] - [[#The Setup|The Setup]] - [[#Installing Suricata on Linux Mint|Installing Suricata on Linux Mint]] - [[#Basic Suricata Configuration|Basic Suricata Configuration]] - [[#Basic Suricata Configuration#Set the Interface|Set the Interface]] - [[#Basic Suricata Configuration#Installing Rules|Installing Rules]] - [[#Confirming Suricata Is Alerting|Confirming Suricata Is Alerting]] - [[#Viewing JSON Logs|Viewing JSON Logs]] - [[#Installing and Configuring Fluent Bit|Installing and Configuring Fluent Bit]] - [[#Installing and Configuring Fluent Bit#Fluent Bit Config (`/etc/fluent-bit/fluent-bit.conf`)|Fluent Bit Config (`/etc/fluent-bit/fluent-bit.conf`)]] - [[#Configuring Graylog for Suricata Logs|Configuring Graylog for Suricata Logs]] - [[#Parsing Suricata Logs in Graylog|Parsing Suricata Logs in Graylog]] - [[#Visualizing Suricata in Grafana|Visualizing Suricata in Grafana]] - [[#Testing Detection: Hydra SSH Bruteforce|Testing Detection: Hydra SSH Bruteforce]] - [[#What This Proof of Concept Does Well|What This Proof of Concept Does Well]] - [[#Limitations & Future Improvements|Limitations & Future Improvements]] - [[#Conclusion|Conclusion]] - [[#References|References]] ## Intro In this Proof of Concept, I wanted to answer a simple question: _What does an SSH bruteforce attack look like in a custom-built SIEM stack using open-source tools?_ Because who needs sleep when you have logs? This blog is part of a larger experiment to create a functional, modular SIEM using Wazuh, Graylog, Grafana, and other community-powered tools. But this time, we’re throwing Suricata into the mix—a fast, powerful open-source threat detection engine that plays nicely in IDS (Intrusion Detection System) mode. The idea: install and configure Suricata on a vulnerable (but loving) Linux Mint web server, fire some Hydra attacks at it from Kali, and watch the chaos light up my Grafana dashboard like a Christmas tree. --- ## Objective Build a functioning IDS pipeline using Suricata and visualize SSH bruteforce alerts in Grafana via Fluent Bit and Graylog. --- ## The Setup Here’s the testing environment: - **Linux Mint 21 (Web Server / Victim)** - Apache running - Suricata installed with ET Open rules - Fluent Bit forwarding Suricata’s EVE logs to Graylog - **Ubuntu 22.04 (SIEM Server)** - Graylog feeding logs into Wazuh-indexer - Grafana reading from the index - **Kali Linux (Attacker)** - Hydra + rockyou.txt = pain --- ## Installing Suricata on Linux Mint If you're on Ubuntu or Mint, the quickest way to get the latest stable Suricata is through the OISF PPA: ``` sudo apt-get install software-properties-common sudo add-apt-repository ppa:oisf/suricata-stable sudo apt update sudo apt install suricata jq ``` We’re also installing `jq` to help make sense of Suricata’s dense JSON logs, because raw `eve.json` is about as readable as Vogon poetry (iykyk). Verify install: ``` sudo suricata --build-info sudo systemctl status suricata ``` --- ## Basic Suricata Configuration ### Set the Interface Find your network interface: `ip addr` Update `/etc/suricata/suricata.yaml` with your actual interface (mine was `enp1s0`): ``` af-packet: - interface: enp1s0 cluster-id: 99 cluster-type: cluster_flow defrag: yes tpacket-v3: yes ``` ### Installing Rules Pull down the ET Open ruleset: `sudo suricata-update` You’ll find them in `/var/lib/suricata/rules/suricata.rules`. Want to see what else you can load? ``` sudo suricata-update list-sources sudo suricata-update enable-source <source-name> ``` Restart Suricata to apply: `sudo systemctl restart suricata` Check it’s alive: `sudo tail /var/log/suricata/suricata.log` --- ## Confirming Suricata Is Alerting Trigger a test rule (*SID 2100498*): ``` sudo tail -f /var/log/suricata/fast.log curl http://testmynids.org/uid/index.html ``` You should see a beautiful alert that says: `[1:2100498:7] GPL ATTACK_RESPONSE id check returned root` You’re in business. --- ## Viewing JSON Logs Want prettier logs? Use `jq`: `sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'` Or get packet stats: `sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="stats")'` --- ## Installing and Configuring Fluent Bit Now to send Suricata logs from Mint to Graylog: Add the Suricata repo ``` curl https://packages.fluentbit.io/fluentbit.key | sudo gpg --dearmor -o /usr/share/keyrings/fluentbit-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/fluentbit-archive-keyring.gpg] https://packages.fluentbit.io/ubuntu/jammy jammy main" | sudo tee /etc/apt/sources.list.d/fluent-bit.list ``` Install ``` sudo apt update sudo apt install fluent-bit ``` ### Fluent Bit Config (`/etc/fluent-bit/fluent-bit.conf`) ``` [SERVICE] flush 1 daemon Off log_level info parsers_file parsers.conf http_server Off http_listen 0.0.0.0 http_port 2020 storage.metrics on storage.path /var/log/flb-storage storage.sync normal storage.checksum off storage.backlog.mem_limit 5M Log_File /var/log/td-agent-bit.log [INPUT] name tail path /var/log/suricata/eve.json tag suricata parser json Buffer_Max_Size 5MB Buffer_Chunk_Size 400k storage.type filesystem Mem_Buf_Limit 512MB [OUTPUT] Name tcp Host 10.0.10.30 <!-- Graylog Server IP --> Port 6665 <!-- Graylog Input Port --> net.keepalive off Match suricata Format json_lines json_date_key true ``` --- ## Configuring Graylog for Suricata Logs Set up in Graylog: - **Input**: Raw TCP on port 6665 - Add static field: `log_type: suricata` - **Index**: `Suricata-Alerts` (hot, 7-day retention) - **Stream**: Matches `log_type: suricata` and routes to `Suricata-Alerts` Make sure your firewall isn’t blocking 6665, and confirm Fluent Bit is running. If no logs appear, check configs or try another port. --- ## Parsing Suricata Logs in Graylog Use the JSON extractor on a Suricata log: - **List item separator**: `,` - **Key separator**: `_` - **Key/value separator**: `:` Click **Try**, then **Create Extractor**. Voilà! Clean, parseable logs ready for Grafana. --- ## Visualizing Suricata in Grafana Use your `Suricata-Alerts` index as a data source in Grafana. Follow the same process outlined in [[Building a SIEM - 5 - Building a Grafana Dashboard]]—I used `Suricata-Alerts*` as the index name. --- ## Testing Detection: Hydra SSH Bruteforce Now for the fun part. From my Kali box: `sudo hydra -l test -P /usr/share/wordlists/rockyou.txt 10.0.10.101 ssh` Meanwhile, on my Mint box: `tail -f /var/log/auth.log` ![[ssh_bruteforce_example.png]] My logs go nuts. Over 200 SSH login attempts per minute from Kali. It’s almost beautiful… if it weren’t a security nightmare. After letting the attack run overnight, my Grafana dashboard shows this gem: ![[suricata_ssh_bruteforce.png]] Massive alert spike from `10.0.10.50` targeting port 22 on my web server. Mission accomplished. --- ## What This Proof of Concept Does Well ✅ Full pipeline from detection → ingestion → visualization ✅ Reproducible with open-source tools ✅ Realistic attack detection (Hydra SSH bruteforce) ✅ Clean JSON log parsing + Grafana-friendly output --- ## Limitations & Future Improvements 🔸 **Limited rule tuning** – only default ET Open rules used 🔸 **No automated response** – alerts aren’t triggering blocklists or playbooks 🔸 **No user-friendly dashboard** – raw data, not analyst-ready summaries 🔸 **Single host visibility** – no network-wide coverage yet **Next Steps**: - Tune or write custom rules (e.g., geoIP, honeypot triggers) - Integrate with TheHive/Cortex for alert triage - Automate response with Wazuh or SOAR tooling - Use OpenCTI/MISP for threat enrichment --- ## Conclusion This mini-project proves you don’t need enterprise licenses or a SOC team the size of NASA’s launch control to get value out of network-based intrusion detection. Suricata, Fluent Bit, Graylog, and Grafana make a powerful open-source combo that can shine a light on suspicious activity—like that Kali box in your closet bruteforcing the life out of your poor little Mint web server. Stay curious, stay secure, and never trust a quiet network—it’s probably just planning something. --- ## References >Suricata installation Quickstart: https://docs.suricata.io/en/latest/quickstart.html