Learn how to set up a network security monitoring stack with tshark, Zeek, and Suricata on VirtualBox. Capture, analyze, and detect threats in real time.
Build a Network Security Monitoring Stack in VirtualBox: From Capture to Alerts with tshark, Zeek, and Suricata
Published by Brav
Table of Contents
TL;DR
- I set up a three-layer monitoring stack in VirtualBox using tshark, Zeek, and Suricata.
- Promiscuous mode and VirtualBox span ports give the Ubuntu server full visibility of VM traffic.
- tshark captures raw packets, Zeek turns them into structured logs, and Suricata flags threats in real time.
- The stack runs on a single Ubuntu server, keeping CPU and memory usage in check with proper tuning.
- You can feed the logs into a SIEM or watch them locally with tail -f for instant alerts.
Why this matters I remember the day I was in a lab and the Ubuntu server couldn’t see traffic between the Ubuntu desktop and Windows 10 VM. The server was silent, as if it didn’t exist on the network. The only way to get a bird’s-eye view of what was happening inside the virtual environment was to enable promiscuous mode on the server’s NIC and copy every packet the host was passing between VMs. Without that, SOC analysts would miss lateral movement, port scans, and the subtle signs of a compromise. This lack of visibility is a pain point that every defender faces when working inside a virtual lab or a production network that relies on software-defined switches.
Core concepts Think of your monitoring stack as a watchtower on a hill. The base layer is raw packet capture – the very first record of every byte that travels across the network. From there, you climb two more levels: protocol analysis turns raw bytes into human-readable conversations, and threat detection scours those conversations for malicious patterns. In practice, the three layers are:
- Raw packet capture – tshark grabs packets with minimal overhead tshark — Wireshark command-line packet capture tool (2024).
- Protocol analysis – Zeek processes a capture file and outputs structured logs like con.log, http.log, and dns.log Zeek — Book of Zeek Quick Start (2024).
- Threat detection – Suricata runs in IDS/IPS mode, applies a huge rule set, and writes alerts to fast.log Suricata — User Guide (2024).
Promiscuous mode is essential for the watchtower to see traffic that doesn’t address it. By setting the interface to “Allow VMs” in VirtualBox, the Ubuntu server receives every packet the host forwards. VirtualBox’s span/mirror ports and dedicated network taps provide the same function without touching the server’s NIC.
How to apply it Below is a step-by-step playbook that will get you a working stack in under an hour. All commands are written for Ubuntu 22.04, but they work on any recent Debian-based distro.
1. Create the virtual network
- Open VirtualBox and create a Host-Only Adapter named vboxnet0.
- Spin up three VMs:
- Ubuntu Server (watchtower) – 2 GB RAM, 2 vCPU
- Ubuntu Desktop – 4 GB RAM, 2 vCPU
- Windows 10 – 4 GB RAM, 2 vCPU
- Attach each VM to vboxnet0.
- In the Ubuntu server’s network settings, set the adapter to Promiscuous Mode: Allow VMs.
- Enable Port Mirroring (or use a Network TAP) on the host to copy all traffic to the server’s NIC.
2. Install tshark
sudo apt update
sudo apt install -y tshark
Verify it can list interfaces:
tshark -D
You should see vboxnet0 as enp0s8 or similar. Capture a 40-second burst with an ICMP filter (ping traffic):
sudo tshark -i enp0s8 -f "icmp" -w /tmp/capture.pcapng -a duration:40
tshark can handle thousands of packets per second on a modest CPU, so you can increase the duration or remove the filter for a full-bandwidth capture.
3. Install Zeek
# Add the Zeek repo
wget https://zeek.org/zeek-release/Zeek-4.1.4.tar.gz
tar xzf Zeek-4.1.4.tar.gz
cd Zeek-4.1.4
./configure && make && sudo make install
Run Zeek on the capture file:
sudo /opt/zeek/bin/zeek -r /tmp/capture.pcapng
Logs will appear in the current directory (con.log, http.log, dns.log). Zeek’s con.log is a goldmine for SOC analysts because it lists every connection with timestamps, bytes transferred, and connection state.
4. Install Suricata
sudo apt install -y suricata
Update the rule set:
sudo suricata-update
Configure Suricata to listen on the same interface. Edit /etc/suricata/suricata.yaml:
af-packet:
- interface: enp0s8
threads: 2
defrag: yes
Start Suricata:
sudo suricata -c /etc/suricata/suricata.yaml -i enp0s8
Suricata will output alerts to /var/log/suricata/fast.log. A simple Python HTTP server running on the desktop will trigger the built-in rule http-simple-server, and an nmap SYN scan will hit the http-scan rule that triggers after 50 SYN packets in 30 seconds.
5. Correlate logs
The three layers are powerful, but to get actionable insight you need to put them together. One simple way is to tail all logs in a single terminal:
sudo tail -f /tmp/capture.pcapng /opt/zeek/logs/con.log /var/log/suricata/fast.log
For production, ship the logs to a SIEM with syslog or beats. For example, use Filebeat to forward suricata/fast.log to Elasticsearch, and use a Kibana dashboard to visualize alerts in real time.
6. Fine-tune
- Promiscuous mode: If you have a more complex topology (bridged adapters, VLANs), you may need to enable promiscuous mode on multiple interfaces or use a network tap.
- CPU throttling: Suricata can consume a lot of CPU on high-traffic segments. Use af-packet with threads: 2 and consider disabling defrag if you’re only interested in packet headers.
- Custom rules: Create a file /var/lib/suricata/rules/custom.rules and add a rule that watches for a malicious user-agent string in HTTP headers. Reload Suricata with sudo systemctl reload suricata.
Pitfalls & edge cases
- Resource constraints: Running all three tools on a single VM is a performance hit. If you hit 80 % CPU, consider moving Suricata to a separate machine or reducing the number of threads.
- Encrypted traffic: TLS hides payloads; Zeek can log the TLS handshake in ssl.log, but you need to supply the server’s private key for full decryption.
- False positives: Suricata’s default rule set is large (~60,000 rules). Many benign scanners trigger alerts. Keep a whitelist of trusted IPs in /etc/suricata/whitelist.rules.
- Log volume: Zeek produces large log files quickly. Use log rotation (logrotate) and consider compressing old logs.
Quick FAQ
| Question | Answer |
|---|---|
| How do I configure Zeek to monitor multiple interfaces? | Add the –iface flag for each interface or edit the zeekctl.cfg to include interface: eth0,eth1. |
| What are the performance implications of running tshark, Zeek, and Suricata on a single machine? | tshark is lightweight; Zeek and Suricata are CPU heavy. Use a 4-core VM, limit Suricata threads, and monitor memory with htop. |
| How can I integrate this stack with a SIEM platform? | Ship logs via syslog, Filebeat, or Logstash. Map Suricata’s fast.log to the SIEM’s event schema and use the con.log for context. |
| What is the best practice for managing Suricata rule updates in production? | Run suricata-update on a schedule, test new rules in a staging environment, and keep a backup of the previous rule set. |
| How can I fine-tune promiscuous mode for different network topologies? | For bridged adapters, enable promiscuous mode on the host’s NIC and on the VM NICs. For VLANs, set the NIC to promiscuous and configure VLAN tags in VirtualBox. |
| How do I handle encrypted traffic analysis? | Zeek’s ssl.log captures handshake details; if you own the key, enable ssl-multiprocess and provide the key file. |
| How quickly can Suricata alert on a port scan? | With the default scan.conf, Suricata triggers after 50 SYN packets in 30 seconds. |
Conclusion You now have a fully functional, end-to-end monitoring stack on a single Ubuntu server inside VirtualBox. Start by capturing a simple ping test, watch Zeek generate connection logs, and trigger Suricata alerts with a local nmap scan. Once you’re comfortable, add real-world traffic: have the Windows VM serve a web page, run a database, or emulate a lateral movement scenario. The stack’s modularity means you can replace Zeek with Argus or Suricata with Snort, but the three-layer approach stays the same.
Actionable next steps:
- Deploy in a test lab: replicate your production network as a set of VMs and run the stack.
- Create custom Suricata rules for the specific applications you run.
- Set up log shipping to your SIEM or a lightweight ELK stack.
- Schedule periodic rule updates and test new signatures in a staging environment.
Who should use this? SOC analysts and security engineers who need an inexpensive, reproducible lab for training, threat hunting, or continuous monitoring. If you’re a system administrator just looking to spot a rogue file transfer, the three-layer stack may be overkill, but the lessons on promiscuous mode and packet capture are still useful.
References
- tshark — Wireshark command-line packet capture tool (2024) | https://www.wireshark.org/docs/man-pages/tshark.html
- Zeek — Book of Zeek Quick Start (2024) | https://docs.zeek.org/en/master/quickstart.html
- Suricata — User Guide (2024) | https://docs.suricata.io/
- nmap — Official site (2024) | https://nmap.org/
Hero image prompt
A high-tech command center with multiple monitor screens displaying live network traffic graphs, packet streams, and real-time alerts. In the foreground, a stylized Linux server icon is connected by glowing network lines to a Windows PC and a Ubuntu desktop. The background features a stylized watchtower silhouette overlooking a digital cityscape. The color palette is cyberpunk neon blues, purples, and greens, evoking vigilance, real-time monitoring, and a futuristic security environment.
