SecurityOnion lab

From k-space wiki
Revision as of 13:17, 20 March 2018 by Lauri (talk | contribs) (Steps)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


The goal of this lab is to get familiar with IDS tools such as Bro and Kibana. These tools can be used to discover malicious behaviour in the network.



  • Adversary simulation node in the network
  • LAN switch with ports 20-24 configured as port-mirrors aka SPAN ports.
  • PC with at 4 CPU cores, 8-16GB RAM, 100GB to 1TB of disk space and at least two network interfaces
  • USB key for installing SecrityOnion


Using SecurityOnion documentation:

  • Clone SecureOnion installer on the memory stick
  • Boot PC with memory stick
  • Follow installation procedures on the screen
  • Configure eth0 as management interface with DHCP and eth1 as monitor port
  • Hook ethernet cable from eth1 to any of the 20-24 ports of the LAN switch
  • Configure ufw to allow port 443 from management interface

From your laptop navigate to HTTPS site on the management IP of the machine and answer questions:

  • What protocol is used for C&C?
  • What are the IP addresses of infected machines?
  • What is the IP address of the C&C server?