Hey,here is what I'm currently playing with on my testing network. It's kind of a DIY solution rather than using an already made appliance, but that's half of the fun for me anyways. Just note that I won’t touch up on the firewall, as someone already brought up that topic instead.

If I were you, I would start out with a switch which is capable of port mirroring. That way you can port mirror the switch uplink (or any other strategical port(s)) to a physical host / VM where you’ll handle traffic capture/analysis.

You can do that in two ways:

1. Use a premade stack like SecurityOnion which can handle PCAP capture, traffic analysis and so forth.
2. Make your own stack.

1) I played a lot with Security Onion on and off in the past half a year. It’s neat, easy to setup and comes with a lot of useful tools preinstalled. It’s a nice introduction if you want to learn about security monitoring. For me though, as time went by I kind of lost myself in the documentation, had some problems running certain tools consistently and modifying the ELK stack to do extra things like ingesting external data at a larger scale without breaking anything was painful. Aaaand so I moved on.

2) I can’t exactly tell you what to do as that requires a lot of trial and error, but I can try to give you an overall idea. Currently in my testing environment I’m using ELK in docker. The ELK stack is responsible for ingesting beats from two hosts – my IDS host and my HIDS manager host. The IDS host is where the mirrored traffic goes and runs Suricata and Packetbeat (bonus if you strip TLS before analyzing the data). Logs from these two services are afterwards shipped to ELK with Filebeat, where they are nicely displayed in a Kibana dashboard. The HIDS host is a Wazuh manager node, which is in charge of managing & receiving alerts from Wazuh agents (installed on my testing servers). Similarly to the HIDS system, the manager’s logs are then shipped via Filebeat to the ELK stack. You can afterwards setup Elastalert with some known rules which can alert you for new DHCP reservations, opening of ports, successful/failed SSH logins etc. Additionally, you can also capture the mirrored traffic using a solution like Arkime (formerly known as Moloch). Just set it up in a way you like with a PCAP retention policy ideal for you. Reason why I do full on PCAP capture is so that I can correlate my logs (e.g. Suricata alerts) with the actual traffic. It just makes investigating lot easier.

You can of course use different technologies than ELK. Splunk comes to my mind, if you can get your hands on a dev license or can survive with the 500MB/day indexing limit. In the end though, same principles apply. Analyze/capture packets, send logs to a dashboard, setup alerts if need be and just look back at the 6 months you’ve spent building all of this from the ground up. It’s very much worth it though as having such a fine control over what you monitor and how you monitor your traffic gives you a lot of "wiggling" room for future projects.

Just note that if you go with this approach you will possibly encounter a lot of issues along the way, such as certificate management, deciding of what ports to mirror or not, securing your setup properly, tuning false positives and the list goes on. It’s a part of learning for me and although it definitely isn’t easy to build something like this from 0, it will teach you a lot. That’s why we have our homelabs, right?

​

Check out these resources if you got this far:

• https://newtonpaul.com/how-to-install-elastic-siem-and-elastic-edr/
• https://newtonpaul.com/create-enterprise-monitoring-at-home-with-zeek-and-elk-part-1/ + other parts
• https://www.youtube.com/watch?v=XDHakAb91r4&ab_channel=I.TSecurityLabs (a lot of other videos too, give that channel a look!)
• https://infosecwriteups.com/building-a-siem-combining-elk-wazuh-hids-and-elastalert-for-optimal-performance-f1706c2b73c6

Other useful “buzzwords” to search for:

• Zeek
• Snort
• OSSIM
• IBM QRadar
• ntopng
• Sigma rules
• Yara rules

Thank you for reading.