Use Suricata as An Intrusion Detection System on AWS

This is Part 3 of a series. I highly recommend reading the first two posts in order before starting this one: 1️⃣ Secure AWS Lab Setup for Security Engineers: IAM Identity Center + SSM + Zero Open Ports Learn how to set up AWS IAM Identity Center, SSM Session Manager, and a zero-open-ports EC2 instance. This post assumes you have completed this setup. 2️⃣ Fish Shell Functions for Managing AWS EC2 Instances — Save Time and Billing Learn how to use fish shell functions ( lab-create , lab-connect , lab-snapshot , lab-restore , etc.) to manage your EC2 lab efficiently. The commands in this post assume you have these functions installed. ⚠️ Your instance IP changes every session. Every time you run lab-restore or lab-create a new EC2 instance is launched with a different private IP address. Before running any commands in this post that reference an IP address (curl tests, nmap, suricata.yaml HOME_NET ), always check your current IP first: ip addr show enX0 | grep "inet " Replace 172.31.23.1