MalwareLab<p>During the <a href="https://infosec.exchange/tags/SharkBytes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SharkBytes</span></a> session at <a href="https://infosec.exchange/tags/SharkFest" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SharkFest</span></a> conference I had an opportunity to present a lightning talk about my pet project called IDS Lab.<br>It is a lab infrastructure deployable as docker containers, which simulates the small company network.</p><p>The IDS Lab consists of web webserver with <a href="https://infosec.exchange/tags/Wordpress" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Wordpress</span></a>, <a href="https://infosec.exchange/tags/MySQL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MySQL</span></a> database, <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> desktop with RDP, the <a href="https://infosec.exchange/tags/WireGuard" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WireGuard</span></a> VPN for "remote" workers and for connecting another virtual or physical machines into the lab network.<br>This part of infrastructure can be used for attack simulations.</p><p>There are additional components for playing with logs and detections, too: <a href="https://infosec.exchange/tags/Fluentbit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fluentbit</span></a>, <a href="https://infosec.exchange/tags/Suricata" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Suricata</span></a> and <a href="https://infosec.exchange/tags/OpenObserve" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenObserve</span></a> as lightweight SIEM. </p><p>In the <a href="https://infosec.exchange/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SIEM</span></a> we already have preconfgured dashboards for alerts, netflows, web logs and logs from windows machines, if present.</p><p>Using the provided setup script, the whole lab can be up and running in up to 5 minutes. For more info, please check my GitHub repository with the IDS Lab:</p><p><a href="https://github.com/SecurityDungeon/ids-lab/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/SecurityDungeon/ids</span><span class="invisible">-lab/</span></a></p><p><a href="https://infosec.exchange/tags/sf24eu" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sf24eu</span></a> <a href="https://infosec.exchange/tags/wireshark" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>wireshark</span></a> <span class="h-card" translate="no"><a href="https://ioc.exchange/@wireshark" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>wireshark</span></a></span></p>