Your home lab isn't just there for playing around with new operating systems, tools, and self-hosting services to reduce your reliance on the cloud. I mean, it's there for all of those things, but it's also there to learn industry-standard processes and keep on top of where your job might be going in the future. One major component is a hardware firewall, so you can learn about advanced firewall rules and also the other security packages that your firewall's operating system can run.

One important security package is an IDS or Intrusion Detection System. This monitoring tool watches network traffic and reports potential issues based on its ruleset to an administrator and/or an IPS or Intrusion Prevention System. Two open-source IDS/IPS packages that are commonly used in an enterprise setting are Snort and Suricata, and they're just as useful in the home lab.

👁 Network rack close in various switches and avr equipment
7 things to look for in a hardware firewall

The threat environment is changing and hardware firewalls need to do more than they used to.

5 For enhanced threat detection

Traditional firewalls only filter based on static rules

Having a well-configured firewall is one thing, but it's only part of a multi-layered security configuration for your home lab. Adding Snort or Suricata to inspect traffic based on its detection rules and give you logs of potential issues gives you another layer of the security onion, where you can use it to dig deeper and fine-tune firewall rules so that your network is overall safer. That makes your pfSense or OPNsense firewall better in the long run, and if you opt into reporting firewall logging data, you make the overall ruleset used in the IDS better for everyone who uses it.

👁 A small homelab in a rack-mount chasis.
6 best practices for deploying pfSense or OPNsense in your home lab

Home lab life is all about learning, and already-established best practices will help your journey.

4 Security learning

Develop valuable skills at home

Home lab usage is all about learning new skills, and IDS/IPS systems like Snort and Suricata are perfect examples of industry-standard packages that are important to learn if you want to get into cybersecurity. But it's not just about learning how to use the tools, setting them up, and analyzing the reams of log files they produce. You can also use your home lab to simulate attacks, seeing the patterns they produce and how you can outwit and outmaneuver those attacks to make your system more secure.

Some common attacks to simulate include Denial of Service (DoS), Pass-the-Hash, port scanning, and brute force attacks. All of these can be detected using rules in Snort or Suricata, and there are several ways to mitigate or guard against each attack, depending on your overall network design. It's also worth considering running a SIEM, or Security Information and Event Management platform, like Splunk or ELK to ingest the logs from your IDS and alert in real-time about suspicious activity.

👁 A Lenovo Z51-70 placed next to a server PC
5 essential firewall rules every home lab should have

Before you start playing with services and tools, here's what you should set up first.

3 Threat visibility

You can't defend against what you can't see

While both of these tools can detect things like malware phoning home to its command and control servers, the biggest benefit is establishing a baseline of traffic activity for your home lab or overall network. Once you have that baseline, you can create rules that look for non-standard traffic and see what turns up in the logs.

It might not be actual threats from malware or hackers. The logs could record misbehaving IoT devices or network interfaces that are becoming faulty or any number of undesirable things to have on your home lab network. But without those logs, you wouldn't know where to start looking, only that your network traffic spikes at certain times of the day, and you don't know what was causing it.

👁 Monitoring containers in Uptime Kuma
5 of the best tools for monitoring your home lab

Keep a weather eye on your home server with these incredible services

2 Customizable protection

Tweak your rulesets based on your home lab needs

While both Snort and Suricata run on rule sets created and maintained by the cybersecurity community, both enable you to create your own rules based on the network you're working on, and these can be very powerful in finding malicious activity. It's worth mentioning that many Snort rules work on Suricata, but not every rule will. There are online generators for rules to easily put together the syntax needed, and that's often a good starting point, even once you get used to the way of rule creation.

The fun thing about rule-based detection is that every company or network that you're designing for is unique, and has features that will work well for detection. Some companies don't allow remote work, and if you know what time the office is mostly clear of workers, a rule can be created to look for traffic after that hour. Or you might know which web browser the company uses and, therefore, can set up rules to look for traffic with other user strings because the chances of that traffic coming from a company laptop is small. The same concepts work for your home lab when testing vulnerabilities, as you know exactly what is installed and how it is configured and can craft rules to notify if any non-standard traffic is found.

👁 closeup of firewalla gold pro
9 reasons I’m going with a prebuilt hardware firewall instead of making my own

The home labber in me is recoiling in horror but I've found a hardware firewall that just works, and I'm not going back.

1 Both offer slightly different options

Snort can be easier, but you'll have to pay for early rule changes, while Suricata has more features

Source: Unsplash
Credit: Source: Unsplash

Both Snort and Suricata have IDS and IPS capabilities, but they differ in ways that might make one better for your use case. Snort is the easiest of the two to deploy and develop new rules based on emerging threats. But the Lua scripting language used by Suricata means it can craft rules to catch things Snort can't, making it more powerful in some regards, if somewhat harder to deploy. There are a few other major differences as well:

Snort:

  • Minor updates every 2–3 weeks
  • A wider range of third-party integrations
  • Maintained by Cisco Systems
  • Paid support options (Personal-$30 per year, Professional from $300 per year)
  • Talos Rules (Personal use-$30 per year, Professional from $400 per year)
  • Lower resource usage

Suricata:

  • Major updates every 3 months on average
  • Maintained by Open Information Security Foundation (OISF)
  • Suricata-Update (rules management tool)
  • Has file extraction feature for manual inspection, VirusTotal queries, and automatic sandboxing

Both now have multithreaded architectures for faster detection, and both will be fine for home lab use. It really depends on what resources you have to host them and other considerations, like which package your workplace uses.

Both Snort and Suricata are enterprise-grade security tools that are flexible and work in concert with your other firewall rules

Knowing what's happening on your home lab network is essential for security purposes. Snort and Suricata are both powerful IDS tools that can monitor your network for malicious activity. Depending on which platform you're already running and what other considerations you need, including performance throughput, and if you need the professional tiers for support and advanced rule sets.

Both Snort and Suricata can also function as an IPS once it has a baseline knowledge of your network traffic, making it a more complete solution without having to find another security package to export detection lists to for further analysis. But for home lab malware analysis, either will show you where that pesky virus is trying to dial back home to.