jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
seclab/MOD4_Defensive_Monitoring.md
jramos 6d0035721e initial commit
2026-05-28 18:27:41 -06:00

1.3 KiB
Raw Permalink Blame History

FILE: MOD4_Defensive_Monitoring.md

MODULE 4: DEFENSIVE MONITORING AND THE SOC

Key Points

  • Intrusion Detection Systems (IDS): Passive sensors that alert on malicious traffic signatures.
  • SPAN / Port Mirroring: Copying traffic from a network switch to a dedicated monitoring interface so the IDS can analyze it without interrupting flow.

Configuration Steps

  1. Deploy Security Onion: Install the VM, assigning its primary vNIC to VLAN 300 (Management) and a secondary vNIC with no IP address (the "sniffing" interface).
  2. Configure Port Mirroring: In Proxmox, configure Open vSwitch or use tc (traffic control) on the Linux bridge to mirror traffic from the VLAN 400 interface to the Security Onion sniffing interface.
  3. Validate Sensors: Log into the Security Onion web interface (Kibana/Hunt) and verify it is receiving logs.

Professor's Guide

It is time to put your Blue Team hat on. Repeat the exact nmap scans and Metasploit attacks you executed in Modules 2 and 3. Then, log into your Security Onion dashboard. You should see alerts triggering for "Possible Nmap Scan" or "GPL EXPLOIT vsftpd backdoor attempt". Your assignment is to write a custom rule (using Suricata/Zeek syntax) that specifically flags the reverse shell payload attempting to communicate back to your Kali IP address over VLAN 200.

Reference in New Issue View Git Blame Copy Permalink