Network Discovery Monitoring

Detect unauthorized network scanning and reconnaissance activity within the internal network using Wazuh and Suricata IDS.

Lab Environment

Ubuntu Server (Wazuh Manager), Windows 10 Client (Wazuh Agent), Kali Linux (Attacker), Suricata IDS on gateway.

Attack Scenario

Attacker performed Nmap SYN scans, service version detection, and OS fingerprinting across the internal subnet from a compromised Kali Linux machine.

Detection Method

Suricata rules triggered on high-frequency SYN packets targeting multiple ports in rapid succession. Wazuh correlated Suricata alerts with host-based logs showing connection attempts. Custom rules detected port scan patterns exceeding threshold within a 60-second window.