DeepSec 2021 Training: Advanced Deployment and Architecture for Network Traffic Analysis – Peter Manev & Eric Leblond

Sanna/ September 6, 2021/ Training

The foundation for effective intrusion detection and response is based on proper sensor placement and configuration. Sensor placement is crucial for developing a comprehensive network security and monitoring solution. Misconfigurations and improper placement can lead to gaps in network visibility, which can allow attackers to go undetected for prolonged periods of time and to penetrate deeper into your network. In Advanced Deployment and Architecture for Network Traffic Analysis, you will learn the skills necessary to successfully design, deploy and optimize a high-performance network monitoring and security solution. Filled with hands-on exercises and comprehensive demonstrations, this class will elevate your skills to maximize your network visibility and data management with Suricata. By the end of this course you will have gained a deep technical understanding and hands on experience with Suricata’s versatile arsenal of features and capabilities for a variety of deployment, usage, and integration scenarios.

This course will go in-depth in Suricata configuration and deployment considerations. You will learn which capture method is best for traffic acquisition, maximizing performance with runmodes and dive deep into Suricata’s detection engine and multi-pattern matchers. Discover how to expand Suricata’s detection and output capabilities with Lua scripting as well as anomaly detection and file extraction capabilities. Gain a deeper understanding of performance and tuning considerations through CPU affinity, Numa, threading and NIC RSS hashing. Alongside that understand specifics about deployments, the cloud and the pros and cons of those. Details of what and how needs to be in place for the cloud security monitoring. Learn how to perform effective and exhaustive troubleshooting when situations like packet loss and system overloading occur.

Finally, learn how to handle elephant flows, work with eXpress Data Path, how output generation affects your deployment and how to integrate Suricata with other tools such as an ELK stack, Splunk and other Linux-based distributions such as SELKS. This class also offers a unique opportunity to bring in-depth use cases, questions, challenges, and new ideas directly to the Suricata team. Take your deployment and configuration skills to an expert level with Advanced Deployment and Architecture for Network Traffic Analysis!

We asked Peter and Eric a few more questions about their training.

Please tell us the top 5 facts about your training.

●  This will be a hands on workshop
●  We will be sharing insights gained from field experience and real-world deployments
●  The attendees will gain actual implementation suggestions and ideas
●  We will make extensive use of open source tools
●  Instructors are both coding and threat hunting experts

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

In our experience, most Suricata deployments in the wild are misused or misconfigured. Because of this, the users do not access the full potential of the Suricata engine. This is true in terms of both quantity and in quality of the data and deployment scenarios. In this training we provide actual hands-on activities and real-time feedback that arm the students with options for solving those problems.

Why do you think this is an important topic?

Suricata is widely adopted, but in most cases underutilized. By using the system correctly and optimizing deployments, operators can readily achieve the desired results – in terms of quality and quantity of that data to be used for NSM/NTA. Which can further be used and analysed the correct way by multitude of systems, technologies and SIMES. Everything from a DB to ELK/Splunk to ML/AI.

Is there something you want everybody to know – some good advice for our readers maybe?

For attendees interested in high speed Suricata, NSM or NTA deployments combined with threat detection, this training will provide immediate value – conveying practical tips and tricks that can be used today.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

From the innovation point of view it is always nice to have more automation, around the correct data. And at the correct ingestion point at the correct time. It will always be challenging from a technology point of view to keep up with all the volumes of data and avoid hype.


Peter Manev has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA lead, currently a Suricata executive council member. Peter has 15 years experience in the IT industry, including enterprise and government level IT security practice. As an adamant admirer and explorer of innovative open source security software he is also one of the creators of SELKS – an open source threat detection security distro. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.


Eric Leblond is an active member of the security and open source communities. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He works on the development of Suricata, the open source IDS/IPS since 2009 and he is currently one of the Suricata core developers. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.


Share this Post