Overview - MyGitHub

💻This project showcases my ability to design and implement an integrated cybersecurity solution using open-source tools. The goal of this project was to create a unified environment capable of detecting, analyzing, and responding to network threats against my devices in real time. By combining Wazuh, a Security Information and Event Management (SIEM) platform, with Suricata, an Intrusion Detection and Prevention System (IDS/IPS), the system achieves comprehensive visibility and control over network activity across multiple VLANs.

⚙️The project began with the deployment of Wazuh in a Dockerized environment based on Amazon Linux 2023. Wazuh serves as the central SIEM, collecting and correlating logs from various sources, including network devices and servers. To extend visibility into live network traffic, Suricata was configured on a pfSense firewall as a service. Suricata inspects packets in real time, identifies suspicious patterns, and triggers alerts when it detects known or emerging threats. Running in IPS mode, it not only monitors but can actively block malicious activity, strengthening the network’s defensive posture.

🔗Integration between the two systems was achieved through syslog forwarding, where Suricata transmits its alerts in JSON format to the Wazuh manager. To ensure accurate parsing and classification, I developed a custom decoder named suricata_line and a dedicated rule group that categorizes alerts based on severity levels. High-severity events are flagged for immediate attention, while lower-level alerts contribute to broader trend analysis. These rules and decoders enable Wazuh to process Suricata alerts efficiently, turning raw log data into actionable intelligence.

📊Additional enhancements were implemented to optimize visibility and analysis. The Wazuh dashboard displays real-time visualizations of network activity, intrusion trends, and event correlation. Traffic across all VLANs is monitored to ensure no blind spots in detection coverage. I also enabled IPS functionality on the server VLAN, allowing Suricata to block confirmed threats as they occur to defend my critical devices such as my portfolio web server. Network packet captures using tcpdump verified the successful flow of logs over UDP port 514, confirming seamless integration between systems.

🚀Through this project, I demonstrated practical expertise in log management, network monitoring, and intrusion prevention. The deployment illustrates how open-source security tools can be combined to form a capable, cost-effective SIEM/IDS solution. By automating alert correlation and enhancing situational awareness, the system provides real-time insights into potential security incidents. The end result is a resilient, scalable monitoring platform that strengthens overall network security and supports proactive threat response.