Building a SIEM at Home
How I set up an Onion at My house… Diagrams… ideas… configs
Use vendor docs because blogs about how to build a solution don’t age well… but the ideas do
This will enable time on the keyboard when combined with the Pivoting through the noise. You can see how building a SIEM at home can help in the Investigating Shellcode post.
Objective of Building a SIEM at Home: Learn how to take a capable home network and turn it into a Network Security Monitoring Lab.
Requirements:
- Basic networking knowledge (basic understanding of subnets and network segmentation.
- Ability to Google vendor instructions and YouTube videos (See How to Engineer like a Rockstar)
- A network capable of having more than one subnet and the ability to copy all network traffic to an Ethernet port
The best way to get good at anything is to practice it. Practice it a lot. One of the best ways to start learning to analyze network traffic for anomalies and malicious activity is to begin looking at your home network traffic as often as you can in a meaningful way. The more you understand what ‘normal’ looks like the better off you will be. Simply running Wireshark on a laptop in your home won’t be enough to really begin building the foundations being spoken about here.
The Security Onion Linux distribution is an amazing piece of free kit available. It is a feature-rich enterprise-ready Network Security Monitoring solution you can easily deploy at home. The following diagrams are merely examples of a nerds home network made into a laboratory. This doesn’t mean that someone must go to this level of engineering to have an effective lab. The minimum capability recommended here is to deploy something like an Intel Nuc, an Intel-based fanless computer, in such a way that it can view full packet captures of the traffic going to and from a cable modem (or similar media bridge) to a home Wi-Fi router/switch. The more advanced setup below is merely a guide.
If you need some tips on engineering check out How to Engineer like a Rock Star.
Why aren’t there step-by-step guidelines? They don’t age well.
Parts Lists (Prices Mid-2020)
Why MicroCenter? Because they are amazing if you have one nearby. Otherwise, there is always Amazon.
- Intel Nuc i3 ~ $299
- 8 Gigs of Ram ~$32.99
- 1 TB Drive ~ $98 (250 Gb works as well)
- Ethernet to USB ~ $13
- Netgate SG-4860 (Now the SG-5100) ~ $699
- Ubiquiti 8 Port Switch PoE ~ $119 (Other switches may actually do better at making span ports**)
- Ubiquiti WAP AC Pro ~ $134
- and Ubiquiti Cloud Key ~ $129
** Netgear has a switch that will allow multiple ports to be spanned over to the monitoring ethernet port (the mirror). Ubiquiti has some great features however and prosumer grade despite missing a great feature a switch at half the cost can do. Look at the manual online for the switch you are considering to see if can mirror many to one. If you have no idea what I am talking about, read on.
Total: ~$1,523.99
A word about the cost: To pay for lab time that would give you the ability to conduct real network security monitoring would be roughly this much for 90 days. Why building it at home is beneficial:
- Strengthen Networking fundamentals
- See vast amounts of network data that is good, bad, ugly, and weird (this propels your learning!)
- Unlimited access time
- Enhance engineering skills
- Learn to pivot through the noise of a network hunting for bad
- Develop your own red v blue labs with Network Security Monitoring tied in
This can probably be done for cheaper. The aim of my lab was to have a great network with high capability and prosumer grade stacks.
Network Overview
An overview of the network in its completed state. The first diagram is of the logical layout of the lab and devices.
The second diagram is how everything is hooked up in the lab.
One the must-have features in the design is to ensure that traffic to and from protected subnets can be mirrored (this means every frame is copied) to the Security Onions monitoring Ethernet port.
The SIEM Install
Get the Network Built
If you don’t have a network or are rebuilding it starts by getting the network up and running with the subnets setup; yes you can have only one subnet but it will limit your capabilities.
To install each of the components follow the manufacturer guidelines and YouTube videos applicable to your chosen products. Why is that not explained here even for the products listed? Blogs don’t age well in terms of installs and it’s outside the scope of this lab document. You got this! Keep in mind a good start to the network is to segment it like it has been laid out above (at a minimum). The goal of this lab document is not how to build awesome home networks; it is how to turn a capable home network in a Network Security Monitoring lab).
Example YouTube Channels that have been tremendously helpful in the past:
Suricata Vs Snort
Multi-threaded… probably gonna change…. ports non-standard… speed of searching all the things for protos… explained here because it will be a choice for the Onion and PfSense.
Onion Install
The Security Onion is a breeze to install on the NUC. Build the NUC then simply follow the guides on the Onion site for install.
You will be doing ‘Stand Alone’ install.
Ensure that you have the Monitoring port set to the built-in Ethernet Port and the Management port to the USB to Ethernet Port. Most likely the Ethernet port will be first in the order of network interfaces following the loopback (lo)and have a name similar to en01. The USB to Ethernet adapter will create an interface with a name like enx503eaa2f7c7e which will follow the wireless interface of wlpxxxx.
PfSense Key Configurations
Interfaces
Aside from setting up the traditional subnets on the pfsense two OPT interfaces on the pfsense were renamed and dedicated to the Security Onion. One for the management port and one for the monitor port (see the above diagrams as needed). To rename, and or otherwise manage, interfaces the menu path is: Interfaces > [Name of the Interface].
The management interface was assigned a static IP address with a /30 CIDR space. A slash 30 allows some wiggle room for a second IP address for testing or experimenting.
The monitoring interface was assigned a static IP address with a /32. A slash 32 is given here as the monitoring port will only serve one purpose and one destination.
The desired configuration for the above ports can vary as desired though it is recommended to rename them to make it easy to quickly recall their purpose later on down the road.
These are the interface assignments that match the network map above. Other setups do not have to follow these precisely (obviously).
Bridges (Mirroring the Traffic)
Bridges will need to be created to create the span ports. Span ports are how frames are copied from the monitored subnet to the sensor. In this case there are 2x monitored subnets where the traffic for each is copied frame for frame over to a port where the Security Onion will set up to receive the packets. This is how the Security Onion (or similar Intrusion Detection System) gains visibility “into” a target a subnet.
PfSense Menu: Interfaces > Bridges. Select ‘+Add’.
The first span port is set up like the following:
The reason both Span ports are created separately is due to the desire to keep the two subnets isolated without a lot of additional work of creating firewall rules. When you bridge any two networks you also bring their broadcast domains into contact with each other. This can cause problems with services such as DHCP.
The second span port is set up as follows:
Firewall Rules
An example layout of firewalls to create 2 isolated subnets while still allowing management and monitoring functions to occur.
In each case note the source net, destination net, and port are explicitly set. An example of one rule is the following rule to allow ssh traffic to the Security Onion’s management port.
The complete layout of the firewall rules for the general use subnet:
- An example to ensure IPv6 traffic is not leaving your network.
- Allow SSH to the ONION_MGT port. Another reason for naming ports accordingly.
- Allow users access to the analyst ports for analysis work on the SecOnion
- Also, allow user to access the Squild server on the SecOnion
- Allow OSSEC agents on Hosts to transmit their logs and alerts to the OSSEC Server on the SecOnion
- Isolate all other traffic from the LAN to the SecOnion
- Isolate the LAN from the LAB
- Finally, allow all traffic to the internet (the IPS built into the Pfsense is monitoring and blocking this downstream)
Suricata
To set up Suricata inline in the Pfsense it is recommended to go to the latest Pfsense Documentation. Be warned – it takes some tuning and some patience but it is well worth it. The idea is that the Pfsense is ultimately doing the blocking and the SecOnion is for the analyst to conduct investigations to make the determinations to tune the IPS as well as understand what is occurring on their network.
Logs Shipping
One of the greatest features of the SecOnion is the fact it ingests PfSense logs out of the box! That’s right. Its about 2 clicks and a save away. On the pfsense the following settings are made. As always refer to the latest documentation regarding copying pfsense logs to a remote host; in this case the SecOnion.
From the PfSense Docs at the time of this writing:
- Click Status > System Logs.
- Click the Settings tab.
- Check Enable syslog’ing to remote syslog server.
- Type the IP of the logging server (in this case the SecOnion Management Port) in the box next to Remote syslog server.
- Check the boxes for the log entries to forward.
- Click Save.
It will look something like this:
Some additional logging options will help tone down the noise as well. Keep in mind these rely on proper firewall rules created with logging selected as it will no longer log default rule blocks.
SecOnion Firewall Rules
By default, the Security Onion will deny all traffic to the management port aside from an initial wide open SSH rule. Using the SO tools scripts (along with the latest docs) it is very easy to establish pathways for users in one subnet to be able to do the analysis, and hosts in both protected subnets able to ship their OSSEC logs to the Wazuh server on the SecOnion. An example of the desired end state looks like the following (also note the list of scripts related to SecOnion firewall management):
Fruits of the Labor from Building a SIEM at Home
Firewall Logs Displayed On Heat Map
The quickest way to see if the firewall logs are being ingested is to simply check the log count at the top of the firewall dashboard in Kibana on the Security Onion.
Once logs are being ingested into the Security Onion it is only a few clicks away to have a heat map of firewall blocks like this:
Once the ELK stack is up and running in the SecOnion you will be able to quickly set up a heatmap like the one above. The following steps will quickly create a heatmap:
- In Kibana go to the ‘Discover Tab’.
- Isolate only the firewall events from the logs by entering `event_type:firewall` into the search menu.
- Select source_geo.location and then visualize.
- Change the options for the map as desired.
- Save the visualization
- Select Dashboards, find, and select the firewall dashboard.
- Select Edit near the top of the dashboard, then add the map.
The following are helpful screenshots. Keep in mind this is only a guide and things change rapidly. Always check the latest documentation of the vendor.
Testing Testing Testing
Basic troubleshooting… Soon there will be a link to an upcoming article: “How to Engineer Like a Rockstar”
Here are some basic systems checks to get started with. It is strongly recommended to read through the official Sec Onion Documentation.
Security Onion Services
Run the command sudo so-status
.
An OK means its working properly. Anything else means you need to wait a bit or restart the service. To restart a Security Onion service run sudo so-kibana-restart
.
Packet Captures
To check if packet captures are occurring simply run the command sostat
and take a look at the Packet Loss Stats.
Not too shabby for the little NUC setup we have here! Only 981 of 1.1 billion packets were dropped from the monitoring interface! Note that Netsniff and we have very little loss for Zeek or Netsniff. As a guess, this could be when updates or other high loads are run on the system.
Firewall Log Shipping
If your Perimeter device is shipping logs and facing the Internet it will begin logging hits almost immediately. You can do this by doing a quick search with the ‘Discover’ feature in Kibana. Log into Kibana and search for firewall events with event_type:firewall
.
That’s It
Completing this project takes a lot of effort but is well worth it. A lab like this in your home to practice Network Security Monitoring is one of the quickest ways to gain leaps and bounds in understanding the art of monitoring a network. From here its a matter of learning how to respond to alerts, tune the system, and eliminate false positives. Happy hunting!
Coming Soon…
An article on how to start learning to pivot through the noise, determine false positives, and find the adversary.
Thanks a lot. Great post.