ℹ️

This page is part of a larger series on building a cybersecurity lab using VMware Workstation Pro. Click here to be taken back to the project home page.

Previous Step

Adding Another Interface to pfSense in VMware Workstation

In this module, we will look at the process of adding an additional interface to the pfSense VM when the VMware Workstation GUI only shows four available interfaces.

0xBEN0xBEN

Order of Operations

^{Click here to view this diagram in a new tab}

Add an additional interface to the pfSense VM

This interface will serve as the target for all of the SPAN configurations
The SPAN configurations will create copies of each Ethernet frame from each interface and send them to the SPAN port

Install the Wazuh Stack as an all-in-one installation

Use the quick setup script to install the following services:
- Wazuh Indexer
- Wazuh Manager
- Wazuh Dashboard

Install the NIDS component on the same VM

Suricata will capture packets from the SPAN interface
It will output logs in JSON format, which will be read by Wazuh Manager

As your lab grows, install Wazuh Agents on your Linux and Windows VMs

Install agents on any hosts you want to monitor
The hosts need to be able to communicate with the Wazuh Manager's IP address over tcp/1514 and tcp/1515 (can also be configured for UDP if desired)

Desired End State

pfSense VM

New interface added and SPAN configurations created

Wazuh Stack + NIDS

Configured network interfaces
Installed and configured Wazuh Stack
- Log into Wazuh Dashboards
- Ensure all connections are working
Installed and configured Suricata
- Capturing packets from SPAN
- Wazuh Manager is configured to read Suricata logs

Wazuh Agents

Wazuh Agent is installed on any host to be monitored
Wazuh Agent can communicate with Wazuh Manager IP over tcp/1514 and tcp/1515

Enabling Packet Capture

🚨

Please note that this step is COMPLETELY OPTIONAL. If you'd rather not work through the SIEM setup right now, you can continue on to the next step and come back here later.

pfSense SPAN Port

Overview of the Changes

In this step, we are going to add an additional interface to the pfSense VM, much like we did in the previous step, but in the case of this new interface, it will serve the sole purpose of being a SPAN port to capture packets.

^{Click here to view this diagram in a new tab}

In the case of this diagram, we are doing the following:

Adding a new interface to the pfSense VM called, SPAN
Attaching the SIEM / IDS to the LAN and SPAN interfaces
The LAN interface provides a DHCP address to the SIEM
1. The SPAN interface does not get any IP assignment and is simply used to receive frames copied from each interface, which in this case is:
  1. LAN
  2. ISOLATED
  3. AD_LAB
  4. SEC_EGRESS
With the Ethernet frames flowing to the SPAN interface
1. Suricata on the IDS host will analyze the packets and generate logs
2. Wazuh will be configured to ingest the log file(s)

Adding the SPAN Port

💡

No need to power off the VM as the NIC is hotpluggable.

Right-click the pfSense VM > Settings > Add...

Add a "Network Adapter" > LAN Segments... > Add a new LAN Segment `cyber-range-span`

Put "Network Adapter 6" on `cyber-range-span`

Configure the New Interface

ℹ️

We're going to use the Kali VM to log into the pfSense web configurator and set up the new interface

Go to Interfaces > Assignments > note `em5` is now available

Click the + Add button. Then, click on OPT4.

Configure EXACTLY as shown > Save > Apply Changes

Configure the Span Ports

💡

We need to configure each SPAN port one at a time. If we select all of the target interfaces as member interfaces, this puts them all on the same broadcast domain, which we do not want.

Also, moving forward, if you add any additional subnets to your pfSense cyber range, you'll need to repeat this procedure for the traffic to be captured by the NIDS.

LAN to SPAN

Interfaces > Assignments > Bridges > `+ Add`

Select LAN > Show Advanced > Select SPAN_PORT > click **Save**

ISOLATED to SPAN

AD_LAB to SPAN

SEC_EGRESS to SPAN

Desired End State

Adding the Wazuh Stack

Ubuntu Server OVA

ℹ️

The reason we're not using the Wazuh OVA as I had with the VirtualBox lab is due to severe performance issues when running in VMware Workstation.

We are going to use the same specs that would be configured with the Wazuh OVA appliance:

4 CPU
8 GB RAM
50 GB Disk

⚠️

The requirements are reasonable given the tech stack, but this does add some additional demand and stress to your lab environment. You may need to shut down some other VMs in order to run the SIEM and save resources.

Import the OVA

Download the .ova file, which is ready-made for VMware (and VirtualBox)

Once downloaded, double-click the `.ova` file and begin the import procedure

Set the password here, you will be prompted to change upon login

⚠️

The VM will auto-boot after import. Let the boot process complete, as we will be logging in and changing the password. Then, we will shutdown for additional configuration.

Username: ubuntu
Password: wazuh — or whatever you assigned in the window above

sudo poweroff

Power off the VM for additional configuration

Configure the VM

Click "Network Adapter" > LAN Segments... > Add `cyber-range-span`

"Network Adapter" is on `cyber-range-LAN`

"Network Adapter 2" is on `cyber-range-span`

✅

You may now power on the VM

Add a DHCP Reservation

Log into pfSense using your Kali VM and go to Status > DHCP Leases...

Click the transparent plus to add a static mapping

I'm giving my Wazuh Server a DHCP reservation of `10.0.0.3` > Click **Save** and Apply Changes

sudo systemctl restart systemd-networkd

Run this command on Wazuh Server to restart the network stack and pull a new DHCP lease

Successfully configured with the DHCP reservation

Expanding the Disk Partition

`sudo fdisk -l` output shows the disk is `50 GiB` but the file system is `9G`

Take a snapshot of the VM before proceeding!

sudo fdisk /dev/sda

command (m for help): F

Input F to list free sectors

command (m for help): d

Enter 1 to delete the first partition, which is the one want to resize

command (m for help): n

Enter 1 to create partition one

First Sector: Press the ENTER key to accept the default
Last Sector: Press ENTER key to accept the default
Do you want to remove the signaure? Enter N

command (m for help): w

Enter w to wr

Now reflects the correct size of the disk

sudo resize2fs /dev/sda1

Resize the partition

ℹ️

Reboot the VM to test the alterations to the partition table. If you encounter issues, restore your snapshot and try again.

sudo reboot

Installing the Wazuh Stack

Since this is a lab environment, we'll just use the all-in-one installation

Wait for the installation to complete...

When the installation completes, you should see the password for the admin user printed to the console. However, this VM doesn't support copying to clipboard, so I'm going to use the wazuh-passwords-tool.sh utility to change to something a little easier to type.

sudo /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -u admin -p 'P@$$word123!'

Change P@$$word123! to a new password of your choice

sudo filebeat keystore add password

Update filebeat with your new admin password

sudo systemctl restart filebeat

Restart the filebeat service to use the new password

Logging into Wazuh Dashboard

ℹ️

You can use your Kali VM to log into Wazuh Dashboard, since they're both on the same LAN and there won't be any firewall issues blocking access.

You can reach the login page by navigating to `https://10.0.0.3`. Ignore any certificate / TLS warnings, as the service is using a self-signed certificate on the web server.

The login for the Wazuh Dashboard server is:

Username: admin
Password: changed using the wazuh-passwords-tool.sh utility

Initial look at the dashboard. We'll get some agents registered in a bit.

Install the NIDS

Auto-Raise Capture Interface

The second interface on the box is not active. We need to modify `netplan` to bring this interface up at boot.

sudo nano /etc/netplan/50-cloud-init.yaml

network:
  version: 2
  ethernets:
    ens192:
      match:
        macaddress: "00:0c:29:1a:e4:84"
      dhcp4: true
      dhcp6: true
      set-name: "ens192"

Before

⚠️

YAML is indentation-based markup, so do be careful with defining the correct number of spaces preceding the configurations.

network:
  version: 2
  ethernets:
    ens192:
      match:
        macaddress: "00:0c:29:1a:e4:84"
      dhcp4: true
      dhcp6: true
      set-name: "ens192"
    ens32:
      dhcp4: false
      dhcp6: false
      optional: true

After (adds ens32)

sudo netplan apply

Packet Capture Test

In the screenshot below, I'm using tcpdump to listen on ens32 for packets coming from or going to 10.0.0.2 — which is Kali's IP address.

On the right, we can see Kali pinging 1.1.1.1
On the left, we can see the traffic in the packet capture

ℹ️

How does this work?

Kali sends ping requests to 1.1.1.1, which flows up the wire to pfSense, where the bridge0 interface we setup before copies each frame to the SPAN port listening on ens32.

Install and Configure Suricata

sudo apt install -y suricata

sudo nano /etc/suricata/suricata.yaml

⚠️

The suricata.yaml file is large and contains lots of nested configurations. I'm only going to highlight here any required changes to the file.

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json

enabled: yes should be set by default, but we want to log in JSON format

# Linux high speed capture support
af-packet:
  - interface: ens32
    # Number of receive threads. "auto" uses the number of cores
    #threads: auto
    # Default clusterid. AF_PACKET will load balance packets based on flow.
    cluster-id: 99
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
...
...
...

Set to - interface: ens32 in order to capture packets on the correct interface

✅

Configuration complete, press CTRL + x and then y to save changes to the suricata.yaml file

Select Suricata Rule Sources

sudo suricata-update update-sources

sudo suricata-update list-sources --free

List Suricata rule sources that do not require a key / token / license

sudo suricata-update enable-source et/open

Enable the et/open source

⚠️

Be aware that the more ruleset you enable, the more RAM and disk space that will be required.

sudo suricata-update enable-source tgreen/hunting

sudo suricata-update enable-source stamus/lateral

sudo suricata-update enable-source aleksibovellan/nmap

sudo suricata-update

Run this command to pull the latest rulesets

sudo crontab -e

Edit the root user's crontab

@reboot /usr/bin/suricata-update
0 2 * * * /usr/bin/suricata-update

Update Suricata rulesets every day at 2 AM and any time the system boots

sudo systemctl enable --now suricata

systemctl status suricata

ℹ️

Note that at this point with Suricata running, you're putting some additional stress on the VM. So monitor resources with sudo top or sudo htop and if needed, add more CPU and RAM to the box.

Configure Wazuh Manager

Now that Suricata is analyzing captured network traffic, any events will be written to /var/log/suricata/eve.json. We need to tell the Wazuh Manager to read and ingest the logs from the file.

sudo nano /var/ossec/etc/ossec.conf

⚠️

As previously done, I'll only be highlighting parts where changes are made, as the ossec.conf file is quite large

<ossec_config>
  <global>
    <rotate_interval>1d</rotate_interval>

Add the <rotate_interval></rotate_interval> frequency in the global section. This configuration rotates logs daily.

<ossec_config>
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>
</ossec_config>

Add this ENTIRE block to the BOTTOM of the file

sudo systemctl restart wazuh-manager

Restart the Wazuh Manager service to implement the changes

Trim Logs

sudo crontab -e

# Run every day at 0400
# Find Suricata log files older than 30 days and delete
0 4 * * * find /var/log/suricata -maxdepth 1 -mtime +30 -type f -exec rm -f {} \; > /dev/null

# Run every day at 0400
# Find Wazuh log directories older than 30 days and recursively delete
0 4 * * * find /var/ossec/logs/alerts -type d -mtime +30 -exec rm -rf {} \; > /dev/null 2>&1
0 4 * * * find /var/ossec/logs/archives -type d -mtime +30 -exec rm -rf {} \; > /dev/null 2>&1

Add these entries to root crontab below the one previously created

Prevent Unplanned Upgrades

When consulting the Wazuh official documentation, you should take note of one key requirement:

🚨

Wazuh agent versions should be lesser than or equal to that of the Wazuh Manager.

We want to avoid unplanned upgrades of the Wazuh Manager stack and the Wazuh agents. So, first we'll take care of this on the Wazuh Manager side.

sudo apt-mark hold wazuh-indexer

sudo apt-mark hold wazuh-dashboard

sudo apt-mark hold wazuh-manager

ℹ️

"Held" pacakges are not upgraded by apt. However, the latest package can still be installed by running sudo apt install -y wazuh-indexer, etc. In that case, you need to re-run sudo apt-mark hold wazuh-indexer, etc again, depending on what was installed.

Installing the Wazuh Agent

Update pfSense Firewall Rules

Log into the pfSense web configuration console and navigate to Firewall > Rules > Floating.

Click the "Add (down)" button

ℹ️

If you add additional subnets to your lab, you will need to come back here and add them to this firewall rule later, in order for them to be able to forward logs to the Wazuh Manager.

Example: Installing on Windows

In this example, I'm going to install the Wazuh Agent on a Windows Server 2019 host (the domain controller in my AD_LAB LAN).

Because I want to ensure my Wazuh Agent and Manager on the same version, I'll use the `+ Deploy new agent` button in the Wazuh Manager

Choose Windows and set the IP address to that of the Wazuh Manager's

This setting is OPTIONAL, so I'm going to skip it and use the "Default" group

When copying the command, paste into a text editor such as notepad.exe on your Windows host. Then copy from notepad.exe and paste into the Windows VM. You may also need to install open-vm-tools on your Windows VM to enable clipboard access.

⚠️

Be sure to run the command with administrative privileges.

Running the command with administrative privileges on the Windows Server 2025 domain controller.

Get-Service WazuhSvc

Check if the service was installed

Get-Service WazuhSvc | Start-Service

Once installed, start the service

Wazuh Manager now shows `1` active agent

Integrate Sysmon

This is a great way to extend the monitoring capabilities on your Windows hosts. In this article, I show you how to:

Download the Sysmon ruleset for Wazuh Manager
Install Sysmon on Windows hosts
Create a Wazuh Agent group and add Windows hosts to the group
And ingest the Sysmon logs from your Windows endpoints using the Wazuh Agent

Wazuh: Mapping Sysmon Events to MITRE ATT&CK IDs

In this post, I show how I implemented and worked around some issues while adding an enhanced ruleset mapping Sysmon events to ATT&CK IDs.

0xBEN0xBEN

Testing Capabilities

I am running the example commands on my Kali VM and targeting my domain controller at 10.80.80.2. The credentials I'm using come from the AD lab exercises in the previous parts of this home lab series.

impacket-secretsdump -outputfile 'dcsync.txt' 'ad.lab/Administrator:P@$$word123!'@10.80.80.2

impacket-psexec 'ad.lab/Administrator:P@$$word123!'@10.80.80.2

Impacket `psexec.py` on the domain controller

sudo nmap -Pn --top-port 50 10.80.80.2

Simple port scan of the top 50 ports against the domain controller

Click the "Level 12 or above alerts" tile

Click the "Events" tab

Events for the `psexec.py` service including running `whoami` as `SYSTEM`

Go back to the home screen and click "Rule level 0 to 6"

Expand one of the alerts and "toggle columns" to get a better look at the data

Important: Index Management

🛑

Don't skip this part!

You REALLY want to do this now as opposed to later.

Save your disk space
Reduce stressful troubleshooting hours
Trim your indices and improve performance

Do it now! Please.

Wazuh Index Management Policy

In this post, I show how to manage your Wazuh Indexer indices in order to improve performance and manage disk space consumed by indices.

0xBEN0xBEN

Follow-Up Activities

Extending Wazuh's Capabilities

Taylor Walton has done a really fantastic job at creating content that showcases Wazuh's capabilities and ways to extend it with various integrations. I wholeheartedly recommend taking a look.

Also, have a look at a some of the additional Wazuh content I've written. If I included, everything here, the guide would quickly grow out of scope.

Finishing Up the Home Lab Guide

Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the VMware Lab

Previous Step

Order of Operations

Desired End State

Enabling Packet Capture

pfSense SPAN Port

Overview of the Changes

Adding the SPAN Port

Configure the New Interface

Configure the Span Ports

LAN to SPAN

ISOLATED to SPAN

AD_LAB to SPAN

SEC_EGRESS to SPAN

Desired End State

Adding the Wazuh Stack

Ubuntu Server OVA

Import the OVA

Configure the VM

Add a DHCP Reservation

Expanding the Disk Partition

Installing the Wazuh Stack

Logging into Wazuh Dashboard

Install the NIDS

Auto-Raise Capture Interface

Packet Capture Test

Install and Configure Suricata

Select Suricata Rule Sources

Configure Wazuh Manager

Trim Logs

Prevent Unplanned Upgrades

Installing the Wazuh Agent

Update pfSense Firewall Rules

Example: Installing on Windows

Integrate Sysmon

Testing Capabilities

Important: Index Management

Follow-Up Activities

Extending Wazuh's Capabilities

Finishing Up the Home Lab Guide

0xBEN

Building a Security Lab in VMware Workstation Pro

Building a pfSense VM for Our VMware Cyber Range

Importing Kali Using the Official VMware Image