Created by: Adam Snyder & Kyle Questad
Institution: Grand Canyon University
Project Type: Self-Paced Cybersecurity Lab
This project involved designing and implementing a comprehensive virtualized SOC (Security Operations Center) lab environment consisting of six virtual machines connected through a custom-configured LAN to simulate a realistic enterprise network.
On the defensive side, we deployed:
- Wazuh — centralized SIEM for log aggregation, analysis, and alerting
- Snort 3 — network-based intrusion detection system (IDS/IPS)
- Suricata — network intrusion detection system (NIDS)
- Custom Snort rules — tailored to our environment for meaningful alert categorization
On the offensive side, we configured a dedicated Kali Linux attacker VM to perform a range of attack techniques including network scanning, brute force, DoS, and Man-in-the-Middle attacks — all detected and correlated within the Wazuh SIEM dashboard.
| VM | Hostname | OS | IP Address | Role |
|---|---|---|---|---|
| Host 1 | KaliATTACK | Kali Linux | 192.168.100.20 | Attacker |
| Host 1 | WindowsAgent | Windows 10 | 192.168.100.12 | Agent / Victim |
| Host 2 | UbuSIEM | Ubuntu Desktop | 192.168.100.11 | Wazuh SIEM |
| Host 2 | snortubuntu1 | Ubuntu Server | 192.168.100.30 | Snort IDS Server |
| Host 2 | KaliAgent1 | Kali Linux | 192.168.100.10 | Agent / Victim |
All VMs are connected on a private LAN (192.168.100.0/24) with a bridged network adapter for LAN communication and a NAT adapter for internet access.
- Installed Wazuh (indexer, manager, and dashboard) on the Ubuntu SIEM VM
- Deployed Wazuh agents on all victim VMs (Kali Agent, Windows Agent, Snort Server)
- Created custom
snort3_rules.xmlandsnort3_decoders.xmlto parse and categorize Snort 3 alerts by attack type and severity - All alerts successfully forwarded to and displayed in the Wazuh dashboard
Wazuh SIEM dashboard displaying correlated Snort3 IDS alerts from the Snort server agent
- Compiled and installed Snort 3 from source on Ubuntu Server VM
- Configured
snort.luawith community rules (8,496 rules loaded) - Enabled
alert_fastoutput logging to/var/log/snort/alert_fast.txt - Integrated with Wazuh agent using
snort-fastlog format - Configured as a systemd service (
snort3.service) for auto-start on boot
Snort3 alert_fast.txt showing detected attacks including port scans and ARP spoofing
- Installed Suricata on the Kali Agent VM
- Configured
suricata.yamlwith correct HOME_NET subnet and network interface - Created custom ICMP detection rule for lab environment
- Integrated with Wazuh using
eve.jsonlog format and JSON decoder
Suricata suricata.yaml configuration showing HOME_NET and interface settings
Suricata alerts successfully forwarded and displayed inside the Wazuh SIEM dashboard
All attacks were launched from the attacker VM (192.168.100.20) against the victim VM (192.168.100.10) and detected by Snort 3 or Suricata, with alerts correlated in the Wazuh SIEM dashboard.
- Tool: Nmap
- Commands:
nmap -sS 192.168.100.10 # SYN port scan nmap -O 192.168.100.10 # OS fingerprinting nmap -sV 192.168.100.10 # Service version scan
- Result: Discovered open ports — FTP (21), SSH (22), HTTP (80) — and identified target OS as Linux 4.15-5.19
Nmap OS fingerprint revealing 3 open services and Linux OS details on the victim VM
- Tool: Hydra + rockyou.txt wordlist
- Command:
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.100.10 ssh -t 4 -V
- Result: 14,344,399 password attempts launched against SSH on port 22, detected by Suricata as invalid SSH attempts
Hydra brute force attack against SSH service with Suricata alert correlation in Wazuh
- Tool: hping3
- Command:
hping3 -S --flood -V -p 80 192.168.100.10
- Result: 343,551 packets transmitted to port 80, causing 100% packet loss, triggering thousands of alerts in Wazuh
hping3 SYN flood transmitting 343,551 packets to the victim's web server on port 80
- Tool: arpspoof
- Command:
arpspoof -i eth1 -t 192.168.100.10 192.168.100.1
- Result: Victim's ARP cache poisoned, redirecting network traffic through the attacker VM — Man-in-the-Middle (MitM) attack successfully executed and detected by Snort
ARP spoof poisoning the victim's ARP cache to intercept network traffic (MitM attack)
- Tool: Nikto
- Command:
nikto -h 192.168.100.10
- Result: Identified Apache 2.4.66 with multiple misconfigurations — missing security headers, exposed HTTP methods, and CVE-2003-1418 (XSS vulnerability)
Nikto identifying Apache misconfigurations including missing security headers and XSS vulnerability
- Tool: Hydra + rockyou.txt wordlist
- Command:
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.100.10 ftp -t 4 -V
- Result: Brute force credential attack against FTP service on port 21, detected and alerted by Suricata in Wazuh
Hydra FTP brute force attack with corresponding Suricata alerts in Wazuh dashboard
- Snort 3 Configuration: Snort was compiled from source meaning default config paths didn't exist and the systemd service file required multiple fixes including changing
Type=forkingtoType=simpleand correcting the network interface before it would run reliably - Wazuh Agent Connectivity: The Wazuh agent repeatedly failed to connect to the manager whenever the Wazuh Manager VM was powered off, requiring manual restarts
- Custom Decoder Placement: Snort alerts were not appearing on the dashboard because the custom decoder and rules files were created on the agent VM instead of the Wazuh Manager VM where all log parsing takes place
- Regex Syntax Errors: The initial prematch regex in the Snort decoder caused repeated syntax errors preventing the Wazuh Manager from starting, requiring simplification to match Snort 3's alert log format
| Tool | Purpose |
|---|---|
| Wazuh | SIEM — log aggregation, alerting, dashboard |
| Snort 3 | Network IDS/IPS |
| Suricata | Network IDS (NIDS) |
| Nmap | Network reconnaissance |
| Hydra | Brute force attacks |
| hping3 | SYN flood DoS |
| arpspoof | ARP spoofing / MitM |
| Nikto | Web vulnerability scanning |
| VirtualBox | VM hypervisor |
| Kali Linux | Attacker and agent OS |
| Ubuntu | SIEM and Snort server OS |
| Windows 10 | Agent OS |