I was trying to create a cyber range in the university, using 2 physical machines and one TP-Link switch (and router, but without results even with it). I have one side/machine (defensive) with graylog, elasticsearch and mongodb, and other with Kali, where I will perform different attacks to the first machine. There are final things, that I need to implement: network traffic capture with smth that will send data to graylog (NetFlow) and then analyse it to prevent this attacks or alert about it.
My environment:
Defensive machine - OS: Ubuntu 22.04 (elasticsearch 7+, graylog 4+, mongodb (required))
Offensive - OS: Kali Linux (one of the lastest)
Available misc:
Switch TP-Link TL-SF1008D, and TL-WR740N SOHO router; Recently I have found Cisco ASA 5505 (but for now I don’t have Console cable to configure it)
First I thought about NetFlow, I installed it (nfdump (and nfcapd), fprobe) to “defensive” machine with port 2055, sometimes it wrote some logs on the machine, sometimes not at all. Then I was wondering how to connect this to graylog, first thing that I did - tried to make an input for NetFlow UDP to port 2055, but it was already used by nfcapd, then I had created a port translation with iptables (sudo iptables -t nat -A PREROUTING -p udp --dport 2055 -j REDIRECT --to-port 2056) and added some rules to allow traffic from ports in ufw, it didn’t work, then I had tried the logstash (with gelf plugin and ), but I didn’t get desired result.
Hope, that someone had same alike home/work lab, and would help me implement this too 