Intrusion Analysis and Threat Hunting with Suricata

Defending your network starts with understanding your traffic. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert.

In this 2-day course, you will learn the skills required to identify, respond and protect against threats in their network day to day as well as identify new threats through structured data aggregation and analysis. Hands-on labs consisting of real-world malware and network traffic will reinforce course concepts while utilizing the latest Suricata features. Come and see what you’ve been missing in your network and unlock the full potential of network security, detection, and response.


  • Being able to import and run a VM (minimum 2CPU / 4GB RAM) on your laptop
  • Basic understanding of IDS/IPS/NSM principles
  • Networking concepts such as, TCP/IP
  • Basic linux familiarity

Suricata Advanced Deployment and Architecture

The foundation for effective intrusion detection and response is based on proper sensor placement and configuration. Sensor placement is crucial for developing a comprehensive network security and monitoring solution. Misconfigurations and improper placement can lead to gaps in network visibility, which can allow attackers to go undetected for prolonged periods of time and to penetrate deeper into your network.

In this advanced 2-day course, you will gain the skills necessary to successfully design, deploy and optimize a high-performance network monitoring and security solution. Filled with hands-on exercises and comprehensive demonstrations, this class will elevate your skills to maximize your network visibility and data management with Suricata. We will go in-depth in Suricata configuration and deployment considerations. You will learn which capture method is best for traffic acquisition, maximizing performance with runmodes and dive deep into Suricata’s detection engine and multi-pattern matchers. Discover how to expand Suricata’s detection and output capabilities with Lua scripting as well as anomaly detection and file extraction capabilities. Gain a deeper understanding of performance and tuning considerations through CPU affinity, Numa, threading and NIC RSS hashing. Alongside that understand specifics about deployments the cloud and the pros and cons of those. Details of what and how needs to be in place for the cloud security monitoring. Learn how to perform effective and exhaustive troubleshooting when situations like packet loss and system overloading occur. Finally, learn how to handle elephant flows, work with eXpress Data Path, how output generation affects your deployment and how to integrate Suricata with other tools such as an ELK stack, Splunk and other Linux-based distributions such as SELKS. This class also offers a unique opportunity to bring in-depth use cases, questions, challenges, and new ideas directly to the Suricata team.

You will walk away with adeep technical understanding and hands on experience with Suricata’s versatile arsenal of features and capabilities for a variety of deployment, usage, and integration scenarios.


  • Laptop able to run a VM with at least 2 vCPUs and 6+ GB RAM
  • VMware Player or Latest Virtualbox, VMware Workstation/Fusion Administrative rights
  • No AV / Ability to temporarily disable
  • Please do not bring a company laptop containing sensitive materials or that you cannot modify