15 lines
1.3 KiB
Markdown
15 lines
1.3 KiB
Markdown
|
# FILE: MOD4_Defensive_Monitoring.md
|
||
|
|
# MODULE 4: DEFENSIVE MONITORING AND THE SOC
|
||
|
|
|
||
|
|
## Key Points
|
||
|
|
* **Intrusion Detection Systems (IDS):** Passive sensors that alert on malicious traffic signatures.
|
||
|
|
* **SPAN / Port Mirroring:** Copying traffic from a network switch to a dedicated monitoring interface so the IDS can analyze it without interrupting flow.
|
||
|
|
|
||
|
|
## Configuration Steps
|
||
|
|
1. **Deploy Security Onion:** Install the VM, assigning its primary vNIC to VLAN 300 (Management) and a secondary vNIC with no IP address (the "sniffing" interface).
|
||
|
|
2. **Configure Port Mirroring:** In Proxmox, configure Open vSwitch or use `tc` (traffic control) on the Linux bridge to mirror traffic from the VLAN 400 interface to the Security Onion sniffing interface.
|
||
|
|
3. **Validate Sensors:** Log into the Security Onion web interface (Kibana/Hunt) and verify it is receiving logs.
|
||
|
|
|
||
|
|
## Professor's Guide
|
||
|
|
It is time to put your Blue Team hat on. Repeat the exact `nmap` scans and Metasploit attacks you executed in Modules 2 and 3. Then, log into your Security Onion dashboard. You should see alerts triggering for "Possible Nmap Scan" or "GPL EXPLOIT vsftpd backdoor attempt".
|
||
|
|
Your assignment is to write a custom rule (using Suricata/Zeek syntax) that specifically flags the reverse shell payload attempting to communicate back to your Kali IP address over VLAN 200.
|