SecurityOnion lab

From k-space wiki
Jump to: navigation, search

Intro

The goal of this lab is to get familiar with IDS tools such as Bro and Kibana. These tools can be used to discover malicious behaviour in the network.

Equipment

Prerequisites:

  • Adversary simulation node in the network
  • LAN switch with ports 20-24 configured as port-mirrors aka SPAN ports.
  • PC with at 4 CPU cores, 8-16GB RAM, 100GB to 1TB of disk space and at least two network interfaces
  • USB key for installing SecrityOnion

Steps

Using SecurityOnion documentation:

  • Clone SecureOnion installer on the memory stick
  • Boot PC with memory stick
  • Follow installation procedures on the screen
  • Configure eth0 as management interface with DHCP and eth1 as monitor port
  • Hook ethernet cable from eth1 to any of the 20-24 ports of the LAN switch
  • Configure ufw to allow port 443 from management interface

From your laptop navigate to HTTPS site on the management IP of the machine and answer questions:

  • What protocol is used for C&C?
  • What are the IP addresses of infected machines?
  • What is the IP address of the C&C server?