This session offers a practical introduction to Suricata, a renowned open-source Network Intrusion Detection and Intrusion Prevention System, focusing on its role in detecting and mitigating network threats. Through a series of practical exercises, participants will gain insights into the fundamentals of network security and how Suricata operates within this domain.

This workshop lets the attendees first soak up the knowledge required to properly deploy Suricata at the right place in the network. Attendees will then complete a series of exercises that enable them to evaluate network traffic, identify threats and anomalies, employ and understand world-class security rules, and explore what else Suricata can provide.

This is a unique opportunity to explore Suricata's features and how they can be leveraged to enhance network security, presented by members of the Suricata team. We invite you to join this workshop to refine your network defense skills and advance your understanding of effective security practices with Suricata.

For this workshop, you'll need:

A laptop in which you can install Suricata. Ubuntu is the most common OS, but you can also have another OS or use a virtual machine.

While not required or needed it can help to have the basic knowledge about networking.

To leave more time for the exercises please try to come with Wireshark, Suricata and Evebox installed.
How to install Suricata on Ubuntu/Debian/CentOS...):
https://docs.suricata.io/en/latest/install.html#ubuntu-from-personal-package-archives-ppa

How to install Evebox:
Installation through APT/RPM repository is recommended
https://evebox.org/docs/install/

You can verify the installation by:
- downloading some pcap e.g. from here: https://wiki.wireshark.org/samplecaptures
- running the pcap through Suricata and Evebox with this command:
suricata -r |PATH_TO_PCAP| -l /tmp/ -S /dev/null -k none && sudo evebox oneshot /tmp/eve.json

In the Evebox local website, in the events section, you should now see Suricata events.