# FILE: MOD4_Defensive_Monitoring.md
# MODULE 4: DEFENSIVE MONITORING AND THE SOC

## Key Points
* **Intrusion Detection Systems (IDS):** Passive sensors that alert on malicious traffic signatures.
* **SPAN / Port Mirroring:** Copying traffic from a network switch to a dedicated monitoring interface so the IDS can analyze it without interrupting flow.

## Configuration Steps
1. **Deploy Security Onion:** Install the VM, assigning its primary vNIC to VLAN 300 (Management) and a secondary vNIC with no IP address (the "sniffing" interface).
2. **Configure Port Mirroring:** In Proxmox, configure Open vSwitch or use `tc` (traffic control) on the Linux bridge to mirror traffic from the VLAN 400 interface to the Security Onion sniffing interface.
3. **Validate Sensors:** Log into the Security Onion web interface (Kibana/Hunt) and verify it is receiving logs.

## Professor's Guide
It is time to put your Blue Team hat on. Repeat the exact `nmap` scans and Metasploit attacks you executed in Modules 2 and 3. Then, log into your Security Onion dashboard. You should see alerts triggering for "Possible Nmap Scan" or "GPL EXPLOIT vsftpd backdoor attempt". 
Your assignment is to write a custom rule (using Suricata/Zeek syntax) that specifically flags the reverse shell payload attempting to communicate back to your Kali IP address over VLAN 200.