IDS / IPS ALERT TRIAGE
NETWORK SECURITY — INCIDENT DETECTION & RESPONSE
SNORT · SURICATA · TRIAGE · CORRELATE · ESCALATE
Loading Suricata alert queue...

OBJECTIVES

Triage your first alert
Correctly identify 3 true positives
Correctly identify 2 false positives
Correlate alerts into an attack chain
Look up an IP in Threat Intel
Escalate the attack chain to IR
Triage all 12 alerts
Submit the IR report
🚨
Alert Console
🔍
Threat Intel
🔗
Correlations
📖
Reference
📝
Notepad
📋
IR Report
IDS/IPS LAB
Alert Console
Threat Intel
Correlations
Reference
Notepad
IR Report
--:--:--
PHASE 1 — ALERT TRIAGE
MISSION BRIEF
NETWORK SECURITY — SOC ANALYST

IDS/IPS ALERT TRIAGE

SENSOR: apexlab-suricata-01 — 12 alerts in queue

SCENARIO

You are a SOC Tier-1 analyst. The Suricata IDS has generated 12 alerts in the last hour on the APEXLAB network. Work through the queue — triage each alert, correlate related events, check threat intel, and escalate anything that warrants IR attention.

NETWORK

SubnetDescription
10.10.14.0/24Internal workstations
10.10.15.0/24Server DMZ
10.10.16.0/24Web servers
0.0.0.0/0External / internet

TRIAGE DECISIONS

  • True Positive — real attack or policy violation
  • False Positive — legitimate traffic, rule needs tuning
  • Investigate — unclear, needs more context
  • Escalate — confirmed attack chain, send to IR

SEVERITY LEVELS

LevelMeaning
1 — CriticalActive exploitation or data exfil
2 — HighSuspicious activity, likely malicious
3 — MediumPolicy violation or anomaly
SURICATA ALERT CONSOLE — apexlab-sensor-01
12 alerts
0 TP
0 FP
0 INV
Score: 0/12
Time
Sev
Source
Dest
Alert
Select an alert to inspect
Select an alert then triage it.
THREAT INTELLIGENCE LOOKUP
Enter an IP address or domain to check against threat feeds (VirusTotal, AbuseIPDB, OTX)...
ALERT CORRELATION — ATTACK CHAINS
Alerts grouped by source IP and time window. Identify multi-stage attack patterns.
REFERENCE — IDS/IPS TRIAGE
TRIAGE GUIDE
True Positive: Traffic matches a real attack. The rule fired correctly.

False Positive: Legitimate traffic tripping the rule. Common with broad signatures — e.g. a vulnerability scanner used internally triggering an attack rule.

Investigate: Alert has enough indicators to warrant deeper analysis but you cannot yet confirm TP or FP.
FALSE POSITIVE INDICATORS
Source IP is internal and known
Traffic matches a scheduled task or backup job
Alert fires on every host at the same time
User-Agent or signature matches a legitimate tool (Nessus, Qualys, etc)
Destination is an internal monitoring system
TRUE POSITIVE INDICATORS
Source IP is external or on threat intel feeds
Destination is a sensitive internal host
Alert correlates with other alerts from same source
Payload contains exploit code, encoded commands, or exfil data
Traffic occurs outside business hours
ATTACK CHAIN PATTERNS
Recon (port scan) → Exploit attempt → C2 beacon is the classic chain. Look for the same source IP appearing across multiple alert types in sequence.

Lateral movement: internal host triggering alerts against other internal hosts after an initial compromise.
SNORT/SURICATA RULE FORMAT
action proto src_ip src_port -> dst_ip dst_port (msg:"..."; sid:N; rev:N;)
action: alert, drop, reject, pass
msg: human-readable alert name
sid: unique signature ID
content: payload match string
threshold: suppress repeated alerts
NOTEPAD
INCIDENT REPORT — IDS TRIAGE
INCIDENT DETAILS
Score: 0 / 8