2️⃣Deploy
Last updated
Last updated
Now we implement the designs outlined in the previous post. I wont go into the details of troubleshooting. Everything you need is in the official documentation of each product.
First, let's set everything up in VirtualBox.
OPNsense is a firewall and routing platform built on FreeBSD. Download the image from OPNsense website, choosing the .iso option (DVD).
Since this is a gateway into our lab, we want 2 adapters. From the host and to the internal network.
Bridged adapter - interface 1 - WAN
Internal Network - interface 2 - LAN
Launch the VM, and login with installer:opnsense to configure the system. Installation instructions here:
Follow through to "OPNsense Installer".
Take a snapshot of the VM in case of future misconfiguration.
Setup a Kali Linux machine, using either an .iso file or like me, just install the VirtualBox image.
Attach an internal network adapter.
You may need to tell Kali to use OPNsense as the DHCP server to get leased an IP address.
Once it's ready to use, take a snapshot so you can revert it to it's fresh state. This is useful when you want to wipe the machine clean, whether you're doing malware analysis or you've misconfigured something.
If setup correctly, you can ping the OPNsense machine from your Kali Linux machine
If you want to be able to access the firewall externally (from your host machine or network), you have 2 options:
Firewall Rule: choose the Firewall > Rules > WAN dashboard and select the ‘Add’ plus symbol from the top right. Add a rule allowing WAN to the Firewall. You can pick a specific device, any, or a network. Your choice but do it right as you might get locked out. An important note - by default, OPNsense will disallow access to the firewall from the WAN. I disabled this to avoid getting logged out but once Kali Linux is configured and in the internal network (LAN) we can do our firewall configuration from there.
Visit it from a device in the LAN. Like the Kali instance.
If you have done something wrong and your firewall rules are blocking you out, you can flush all the rules on the console using pfctl -F all
Go back to system > wizard and follow the steps. Be aware that the last step asks if you want to change the IP address to 192.168.1.1. If that's different to before, then start using that IP to access the dashboard.
If you run into any DHCP problems like I did, try reset your router / modem.
Now for our SIEM. I'm opting for Wazuh as I want to try something new and heard it was a good open source + free solution.
https://github.com/wazuh/wazuh
See Wazuh documentation for installing the VM image (OVA) here. The link is in there but I've also linked the GitHub. It's an Amazon Linux VM.
The image should have the following components:
Amazon Linux 2
Wazuh manager 4.7.1
Wazuh indexer 4.7.1
Filebeat-OSS 7.10.2
Wazuh dashboard 4.7.1
Attach this to the internal network.
I had to restart networking service to be given an IP address. Let's test it out and ping our Kali linux machine:
Visit the website for Wazuh. In my case x.x.x.103. Default credentials are in the documentation.
There's not much to it now, as we have to add an agent. An agent is going to be a service sending information to the SIEM for us to view. In an enterprise, it could be Window's computers that employees use (sending Windows event logs) or a web server (sending web logs).
Let's deploy a new agent. See the alert notification in the screenshot. In my case, I will be creating a Linux agent. All the instructions are on the Wazuh dashboard.
Last one, I promise (unless you want to launch more VMs as part of your cyber lab). Launch a Windows VM. I wont walk through it.
Consider Windows 11 Sandbox if you want
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
And do the same - update it, add it to the internal network, test connectivity, if no IP tell it to get one with DHCP from OPNsense. Snapshot.
Now follow the Wazuh agent installation guide for Windows. This is the generated installation command. This was the command generated for me.
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.1-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='192.168.1.103' WAZUH_AGENT_NAME='Win-Agent' WAZUH_REGISTRATION_SERVER='192.168.1.103'
Note that this is reaching out to wazuh.com - it will need an internet connection. Connect the machine to the internet though adding a bridged adapter or OPNsense router will route it for you. Depending on your setup. If it's bridged and setup correctly, all your LAN VM's should have internet connection.
That's pretty much the foundation of this lab done. Take a look at the next post on checking out the security events on Wazuh.
That's all Super easy to install the agent. Check your Wazuh instance and you'll see a live host: