Open in app

Sign in

Write

Sign in

SOC Home Lab -Part 2

Dyavanapellisujal
8 min readJul 23, 2024

--

This is the continuation of the previous blog. In this blog I will setup the necessary firewall rules to give the internet access to certain machines and spin up suricata on SOC Analyst machine to work as an IDS.

Accessing Pfsense Web GUI

First we need to access the web interface of the pfsense which is by default accessible only by the devices connected to the LAN network, devices connected to WAN / OPT1 / OPT2 are not allowed. That’s the reason, the ubuntu machine in the security lan is connected to LAN network of the pfsense.

To access the web gui : Open Browser → Enter pfsense ip of the security lan interface (192.168.20.1) → Username:-admin & Password:- pfsense.

I have set the hostname as default and domain to homelab.com, primary dns : — 8.8.8.8 and secondary:9.9.9.9

Set the time server to default

Only set the above sections for the wan interface.

The two options above block private networks:- This will block any incoming packets from the RFC 1918 reserved addresses (private addresses) towards wan interface,because packets to and from the internet with source address set to private ip address is something which should not be allowed since we are using nat.

Change admin credentials:

Click on the change admin password poping up at the top of the screen.

To get the details of the pfsense server go to the dashboard after saving changes. The dashboard shows the status of the pfsense firewall such as cpu type, memory usage, last configuration etc.

Assign Interface Names:-

Lets change the name of the LAN interface

I have only changed the name of the Interface to security lan for ease, every other configuration such as ipv4 address, dhcp has been configured at the beginning of setting up pfsense, change the name of other interfaces to their respective LAN name. Uncheck the last two options

This is a LAN interface so traffic from private ip addresses towards this interfaces should be allowed. Once done click Save and then click Apply changes.

Adding firewall rules through GUI

Click Firewall → Rules → Interface → Add

Before adding rules let us first understand the default rules of the pfsense firewall:

  1. Any requests made from outside the LAN to our internal network is blocked, this is ingress filtering. Pfsense will block all the incoming requests towards our network by default.
  2. Any requests made from our internal network that is the requests made from our LAN network (renamed to security lan) to the internet will be allowed and the corresponding responses into the lan will be allowed as well, because pfsense run as a stateful firewall which keeps track of the states of network connections made from our network, this is egress filtering i.e filtering outgoing packets.
  3. Any other requests to/from our OPT1 and OPT2 LAN are blocked by default until any explicit rule is configured to allow the outgoing traffic from these LAN’s.
  4. Learn more about pfsense filtering through here.

I will add a rule to allow connections made from our security-lan to destination port listening on port 443.

The description below at each setting, is enough to understand what each setting would help us to achieve.

Lets understand the above rules in short:

Rule 1: This rule is by default and it allows us to access the web interface of the pfsense.

Rule 2: This rule will allow http request from our security-lan from any port to any destination listening on port 80.

Rule 3:This rule will allow https connections initiated from our security lan to any destination listening on port 443.

Rule 4:This rule will allow any dns queries made from our security lan to any destination listening on port53 for dns queries.

We need to set the name servers in etc/resolv.conf in the machines who needs to surf the internet through browser, open the /etc/resolv.conf file.

sudo nano /etc/resolv.conf

and then add the nameserver 8.8.8.8 at the bottom of the file, then save your file.

Now let us try to reach the internet through our browser from our ubuntu machine.

That’s great ! It gave us the results.

Lets determine the traffic flows

Traffic rules for Inter-Lan communication:

  1. Security Lan:- Internet access for outgoing allowed, traffic from attacker-lan is blocked and traffic from target lan (except for certain traffic such splunk forwarders to send data to any siem tool for data ingestion if configured in future ) to security-lan is blocked.
  2. Target Lan: Traffic from security-lan and attacker lan allowed to the target lan, traffic from target-lan to attacker lan should be allowed, traffic from target-lan to the internet is allowed.
  3. Attacker-Lan: Traffic to internet is allowed (this is necessary to install tools and stuff).
  4. WAN:- All the incoming traffic from the internet should be blocked by default, if certain traffic is necessary will be allowed based on requirements.

I hope you can configure the above rules, I have put up the screenshots for every firewall rule configured on each interface with their description:

Security-Lan:

Target-Lan

Attacker-lan:

Do test the firewall rules, I have tested the rules and all worked according to the way I expected, if there are any mistakes or you face any issues you can reach me out at my linkedIn.

Setting up suricata:

Open up your SOC Analyst Machine and run:

sudo apt-get update && sudo apt-get install suricata

Once suricata is installed first we need to check few things:

  1. The other interface in the target lan which we are going to monitor is in promiscous mode.
  2. No communication takes place on that interface.

To put the interface into promisc mode run :

sudo ifconfig [interface] promisc

To stop communication on promiscous interface:
we will flush the ip it got from dhcp and block all the communications using iptables rule, run:

sudo ip addr flush dev [interface]
sudo iptables -A INPUT -i [interface] -j DROP
sudo iptables -A OUTPUT -o [interface] -j DROP
sudo iptables-save

Now to confirm whether we can capture traffic from target-lan from this interface, run tcpdump on the interface in promisc mode.

sudo tcpdump -i enp0s8

Use one of the machines in target lan to communicate with other hosts or access internet.

Go back to your SOC Analyst machine, and see if the interface captured any traffic

Yahoo! The interface can capture the traffic from the target-lan.

Testing Suricata

I would like you to clone the rules for nmap scans from this repo.

Once cloned copy the path to the local.rules file and put in the rule-files section of the suricata.yaml file

sudo nano /etc/suricata/suricata.yaml

Save it and then spin up suricata on the interface enp0s8.

sudo suricata -c /etc/suricata/suricata.yaml -i enp0s8 -k none -l .

The above command runs suricata with the specified configuration file i.e suricata.yaml (which is made by default on installation) and the interface (enp0s8) will monitor -k none does the checksum validation and -l . sets the logging to the current directory.

Suricata is monitoring, run nmap from kali linux and then open fast.log to see if it detected any nmap scanning techniques.

Open the fast.log file, it indeed logged nmap SYN scanning, hence our suricata server is running as an IDS, to learn making custom rules or leveraging rules provided by the infosec community check the official suricata docs. In the next part, I will configure splunk on our SOC Analyst Machine.

Cybersecurity
Security Operation Center
Soc
Cybersecurity Project
Intrusion Detection

--

--

Dyavanapellisujal

Written by Dyavanapellisujal

38 Followers

Passionate security driven geek building strong SOC skills. Dedicated to mastering threat detection and incident response to protect against cyber threats.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams