Module 4: Network and File Detections

Extend detection beyond the SIEM — build Suricata network rules, YARA file rules, and combine all three for defense-in-depth.

Tools:Suricata + EveBoxYARA
3
Lessons
2
Hands-on Labs

Lessons & Labs

Lesson 4.1 — Suricata Rule Engineering

Syntax, content matching, flowbits, performance tuning — building production network detection rules.

Lab 4.1 — Build a Suricata Rule

Write Suricata rules to detect specific network patterns, test against PCAP data in EveBox, and tune for precision.

Intermediate

Lesson 4.2 — YARA for Detection Pipelines

Production YARA rules, CI validation, false positive management in file-based detection.

Lab 4.2 — Build a YARA Detection Rule

Create YARA rules targeting malware characteristics, validate against sample files, and measure false positive rates.

Intermediate

Lesson 4.3 — Multi-Layer Detection Strategy

Combining Sigma + Suricata + YARA for defense-in-depth — coverage overlap, gap analysis, and rule coordination.