The goal of this lab is to get familiar with IDS tools such as Bro and Kibana. These tools can be used to discover malicious behaviour in the network.
- Adversary simulation node in the network
- LAN switch with ports 20-24 configured as port-mirrors aka SPAN ports.
- PC with at 4 CPU cores, 8-16GB RAM, 100GB to 1TB of disk space and at least two network interfaces
- USB key for installing SecrityOnion
Using SecurityOnion documentation:
- Clone SecureOnion installer on the memory stick
- Boot PC with memory stick
- Follow installation procedures on the screen
- Configure eth0 as management interface with DHCP and eth1 as monitor port
- Hook ethernet cable from eth1 to any of the 20-24 ports of the LAN switch
- Configure ufw to allow port 443 from management interface
From your laptop navigate to HTTPS site on the management IP of the machine and answer questions:
- What protocol is used for C&C?
- What are the IP addresses of infected machines?
- What is the IP address of the C&C server?