The SOC Simulation project was designed to build a small-scale Security Operations Center (SOC) in a controlled lab environment to detect, analyze, and respond to common network-based cyber attacks.
The primary objective was to deploy an Intrusion Detection System (Suricata) and integrate it with a SIEM platform (Wazuh) to ingest, correlate, and visualize security events generated from simulated real-world attacks. This project focuses on blue team detection, monitoring, and alert analysis.
- SOC fundamentals and blue team operations
- Network-based attack detection
- IDS deployment and rule tuning (Suricata)
- SIEM integration and alert correlation (Wazuh)
- Log analysis and event investigation
- Detection of common attack patterns
- Network traffic monitoring using SPAN / port mirroring
- Incident detection and response workflow
- Suricata – Intrusion Detection System (IDS)
- Wazuh – SIEM (log aggregation, correlation, alerting)
- Kali Linux – Attack simulation
- Ubuntu Server – Services & monitoring
- Apache / DNS / FTP / SSH – Monitored services
- Nmap / hping3 / Hydra – Attack tools
- SPAN (Port Mirroring) – Traffic monitoring
The SOC lab consists of:
- Attacker Machine: Kali Linux
- Target Server: Ubuntu Server (Apache, DNS, FTP, SSH)
- Monitoring System: Ubuntu Desktop running Suricata
- Network Devices: Switch and Router
- Monitoring Method: SPAN / Port Mirroring
All network traffic is mirrored to the IDS sensor, simulating how traffic is monitored in real enterprise SOC environments.
Description:
This diagram shows the complete SOC lab topology, including the attacker machine, target server, IDS sensor, switch, router, and monitoring interfaces.
Description:
SPAN (port mirroring) is configured on the switch to forward all traffic to the Suricata monitoring interface, allowing passive traffic inspection.
Description:
Suricata is installed on the monitoring system and configured to listen on the mirrored interface to inspect live network traffic.
Description:
Custom Suricata rules are written to detect:
- DDoS (SYN flood)
- Port scanning
- SSH brute-force attempts
- IP spoofing
- Malware download attempts
Description:
Suricata logs (eve.json) are ingested into Wazuh, where alerts are correlated, enriched, and visualized in the SIEM dashboard.
Description:
A SYN flood attack is launched from Kali Linux using hping3 and successfully detected by Suricata and escalated by Wazuh.
Description:
Nmap is used to perform port scanning, which is detected as reconnaissance activity by the IDS and logged in the SIEM.
Description:
Hydra is used to simulate an SSH brute-force attack, which is detected and escalated as an authentication attack.
Description:
A simulated malware download attempt is detected using custom Suricata rules and visualized in Wazuh.
- Built a functional SOC simulation environment
- Successfully detected multiple real-world attack types
- Integrated IDS with SIEM for centralized visibility
- Demonstrated SOC-style alert investigation
- Gained hands-on blue team experience
- IDS/IPS inline deployment
- Threat intelligence integration
- Automated response (SOAR)
- Cloud-based SIEM ingestion
- Advanced correlation rules
This project demonstrates practical SOC, IDS, and SIEM skills aligned with modern enterprise and cloud security environments.