Home cyber range

I was trying to create a cyber range in the university, using 2 physical machines and one TP-Link switch (and router, but without results even with it). I have one side/machine (defensive) with graylog, elasticsearch and mongodb, and other with Kali, where I will perform different attacks to the first machine. There are final things, that I need to implement: network traffic capture with smth that will send data to graylog (NetFlow) and then analyse it to prevent this attacks or alert about it.

My environment:
Defensive machine - OS: Ubuntu 22.04 (elasticsearch 7+, graylog 4+, mongodb (required))
Offensive - OS: Kali Linux (one of the lastest)

Available misc:
Switch TP-Link TL-SF1008D, and TL-WR740N SOHO router; Recently I have found Cisco ASA 5505 (but for now I don’t have Console cable to configure it)

First I thought about NetFlow, I installed it (nfdump (and nfcapd), fprobe) to “defensive” machine with port 2055, sometimes it wrote some logs on the machine, sometimes not at all. Then I was wondering how to connect this to graylog, first thing that I did - tried to make an input for NetFlow UDP to port 2055, but it was already used by nfcapd, then I had created a port translation with iptables (sudo iptables -t nat -A PREROUTING -p udp --dport 2055 -j REDIRECT --to-port 2056) and added some rules to allow traffic from ports in ufw, it didn’t work, then I had tried the logstash (with gelf plugin and ), but I didn’t get desired result.

Hope, that someone had same alike home/work lab, and would help me implement this too :slight_smile:

Hey @ioptrix

What cant you use the same Netflow Input for both devices?

Hello gsmith,

As I said earlier, I can’t do it, because of daemon, that already collects data (nfcapd), and listening 2055 port. Maybe I am wrong in something, but for now I can’t implement it.

Can you share, how did you use it, or make alike project?

Hey @ioptrix

Im actually at work, for my home lab stuff you can catch me on Discord if need be. Im in Graylog Discord channel.

Ok, I’ll catch you there, thanks

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.