NODE_STATUS: ACTIVE
DOC_VER: 1.0.4
LOCATION: HOME_LAB
PLATFORM: FEDORA_42
WAZUH: v4.9 // RUNNING
IDS: SURICATA // ACTIVE
ALERTS_INDEXED: 600+
SYSTEM OPERATIONAL
UNCLASSIFIED | CYBERSECURITY HOME LAB PROJECT

HOME
SECURITY
OPERATIONS
CENTER

A fully self-hosted SOC running on a Fedora 42 Linux mini PC. Detects network intrusions, monitors endpoints in real time, and delivers threat intelligence — built entirely on open-source tools used in enterprise security operations.

VIEW_REPO → READ_DOCS
[ SYSTEM_TELEMETRY // LIVE ]
Total Cost
$0
Endpoints
1 node
Tools Deployed
7+
Uptime
24/7
HOST intel-nuc
OS Fedora Linux 42 // x86_64
WAZUH_MGR v4.9 // RUNNING
SURICATA IDS // ACTIVE
AGENT_STATUS ThinkPad T14 // CONNECTED
SSH_PORT customer port number // KEY_AUTH_ONLY
INDEXER OpenSearch // 600+ docs
Technology Stack

The Full Stack

Every tool is free and open-source — the same stack deployed in enterprise SOCs worldwide.

[ LAYER: HOST_DETECTION ] HIDS + SIEM
Wazuh
// HIDS + SIEM Engine
Host-based intrusion detection across both machines. Monitors logins, file integrity, running processes, and auto-maps every alert to MITRE ATT&CK and compliance frameworks.
● ACTIVE Intel NUC · v4.9
[ LAYER: NETWORK_IDS ] SIGNATURE ENGINE
Suricata
// Network IDS
Inspects all traffic using 40,000+ Emerging Threats community rules plus custom local rulesets. Outputs structured JSON for consumption by the Python alert engine.
● ACTIVE NUC interface · ET Rules
[ LAYER: ALERT_PIPELINE ] CUSTOM ENGINE
Python
// Alert Engine
Real-time log tailer that filters by severity, enriches critical alerts with VirusTotal IP reputation data, and fires Telegram push notifications within seconds of detection.
● RUNNING systemd service
[ LAYER: NOTIFICATION ] PUSH DELIVERY
Telegram
// Alert Delivery
Real-time push notifications to both operator phones within seconds. Each alert includes severity, source IP, destination, MITRE technique ID, and VirusTotal score.
● BOT ACTIVE Dual recipients
[ LAYER: INDEXER ] SEARCH + STORAGE
OpenSearch
// Alert Index
Wazuh's indexer stores every alert in a fully searchable document store. Filebeat ships alerts continuously from log files for historical analysis and dashboard visualization.
● INDEXED 600+ documents
[ LAYER: BASE_OS ] HARDENED SERVER
Fedora 42
// Base OS
Always-on Intel NUC mini PC. Hardened with key-based SSH on custom port , root login disabled, firewalld rules active, and automatic security updates enabled.
● HARDENED NUC + ThinkPad T14
System Design

Architecture

Two machines, one centralized SOC. Network and host detection working in parallel.

[ TOPOLOGY // DATA FLOW ] SVG_RENDER v2.0
[ ENDPOINT ] THINKPAD T14 Fedora 42 WAZUH AGENT :1514 INTEL NUC · FEDORA 42 [ NET_IDS ] SURICATA 40k+ ET rules · eve.json [ HIDS_MGR ] WAZUH MGR v4.9 · MITRE ATT&CK · alerts.json [ LOG_SHIP ] FILEBEAT ships JSON → OpenSearch [ INDEXER ] OPENSEARCH 600+ alerts · full-text search [ DASHBOARD ] WAZUH UI WAZUH_UI_ENDPOINT [ ALERT_ENGINE ] PYTHON + TELEGRAM alerts.json Alert flow Index pipeline Agent / notify
01
Traffic hits Suricata
All NUC network traffic inspected against 40,000+ Emerging Threats rules plus custom local rulesets.
02
Wazuh catches host events
ThinkPad agent ships every login, sudo command, and file change to the NUC manager in real time.
03
Alerts indexed
Filebeat ships into OpenSearch — stored, searchable, and tagged with MITRE ATT&CK techniques.
04
Python filters and enriches
Alert engine reads JSON log stream, drops low-severity noise, queries VirusTotal on suspicious IPs.
05
Telegram delivers instantly
Critical alerts reach both phones within seconds — with context, severity, and threat intelligence.
Contributors

The Team

Two roles, clearly divided — infrastructure and detection running in parallel.

[ ROLE: INFRASTRUCTURE_ENGINEER // NODE_A ]
Operator
Kathlyn
@kat2120 · Infrastructure & Operations
GITHUB // LINKEDIN
  • Fedora 42 server setup and system hardening
  • Wazuh HIDS — manager, indexer, dashboard
  • SSL certificate bootstrapping and PKI config
  • SSH hardening — custom port, key-based auth
  • Firewall configuration with firewalld
  • Filebeat pipeline to OpenSearch
  • Wazuh agent deployment on ThinkPad endpoint
[ ROLE: DETECTION_ENGINEER // NODE_B ]
Operator
Richard
Detection & Response
GITHUB // LINKEDIN
  • Suricata IDS installation and performance tuning
  • Custom Suricata detection rule authoring
  • Python alert engine development
  • VirusTotal API integration and enrichment
  • Telegram bot and notification formatting
  • Malware sample analysis and write-ups
  • MITRE ATT&CK technique mapping
Documentation

Setup Guides

Full step-by-step field manuals. Reproduce this entire setup from scratch.

[ PROTOCOL: WAZUH // FEDORA // SSH ] DOC-001
01
Infrastructure Guide
Complete walkthrough — bare Fedora to fully operational Wazuh stack. Covers SSH hardening, SSL cert bootstrapping, Filebeat pipeline, and health verification.
Fedora 42 Wazuh 4.9 Filebeat OpenSearch firewalld
ACCESS_DOC →
[ PROTOCOL: SURICATA // PYTHON // MITRE ] DOC-002
02
Detection Guide
Full detection pipeline — Suricata installation, custom rule writing, Python alert engine, VirusTotal integration, Telegram bot setup, and malware analysis methodology.
Suricata Python VirusTotal Telegram MITRE ATT&CK
ACCESS_DOC →
Real Experience

Challenges Solved

We didn't follow a tutorial. Here's what actually broke and how we fixed it.

01
[ SUBSYSTEM: SSL_PKI // WAZUH_CERTS ]
SSL Certificate Bootstrapping
The all-in-one installer exited early because the manager was already partially installed, leaving the indexer, dashboard, and Filebeat without SSL certificates. Diagnosed from OpenSearch error logs, ran wazuh-certs-tool.sh manually, and placed each cert with exact ownership and permissions.
// LESSON: Always run the Wazuh installer on a completely clean system.
02
[ SUBSYSTEM: CONFIG_PARSING // XML_VALIDATION ]
ossec.conf XML Corruption
Config file had two issues — a mismatched closing tag on line 26 and a duplicate <ossec_config> root element inside the cluster block with a missing closing tag. Used Python's XML parser to identify exact line numbers, repaired the file with targeted sed and Python scripts.
// LESSON: Always validate XML config files before restarting services. Always keep a backup.
03
[ SUBSYSTEM: TLS // CERTIFICATE_BINDING ]
Filebeat Certificate Mismatch
Filebeat failed with x509: certificate valid for 192.168.1.33, not 127.0.0.1. SSL certificate generated for the server's actual IP but the Filebeat config pointed to localhost. Diagnosed from reading the exact error message.
// LESSON: Never use 127.0.0.1 when certs are generated for a specific IP address.
04
[ SUBSYSTEM: OPENSEARCH // INDEX_MAPPING ]
OpenSearch Field Mapping Conflicts
Dashboard panels threw illegal_argument_exception because fields like agent.name were mapped as text instead of keyword type, preventing aggregation. Existing indices can't be remapped — fixed by applying a correct index template so all future daily indices are created with proper field types.
// LESSON: Apply index templates before data starts flowing, not after.
Screenshot Documentation

Dashboard Views

Live captures from the Wazuh dashboard, OpenSearch, and Suricata alert feeds. Replace placeholders with your actual screenshots.

[ WAZUH // SECURITY_EVENTS_OVERVIEW ] IMG-001
Wazuh Security Events Overview -->
Security Events Overview
Wazuh dashboard main view — alert volume over time, severity distribution, top agents, and MITRE ATT&CK coverage heatmap.
[ SURICATA // NETWORK_ALERT_FEED ] IMG-003
Suricata Alert Feed -->
Suricata Alert Feed
Real-time network IDS alert stream — rule signatures, source/destination IPs, protocol, and severity for traffic flagged against the Emerging Threats ruleset.
[ WAZUH // AGENT_STATUS_PANEL ] IMG-005
Wazuh Agent Status -->
Agent Status Panel
Wazuh agent management view showing ThinkPad T14 connection status, last keepalive, OS version, agent version, and active policy groups.
[ TELEGRAM // ALERT_NOTIFICATION ] IMG-006
Telegram Alert -->
Telegram Alert Notification
Push notification sample from the Python alert engine — severity level, rule ID, source IP, MITRE technique, and VirusTotal reputation score delivered in real time.