SIEM Project Lab Setup | Part 7 | Configure Virtual LAN Subnet in Oracle VirtualBox

In this multipart series I walk through setting up a Security Information Event Management (SIEM) home lab in Oracle VirtualBox, step by step. If this is your first time viewing an article in this series, you may desire to visit Part 1 to get caught up. If not, yes of course stick around because this article is easy to follow for sure!

?

At this point we have 2 Linux Virtual Machines (VMs) set up with a pfSense firewall/router and a Wazuh OVA to ingest events for analysis. In the last article I walked through drawing a network diagram with draw.io. You can view that article here if you would like.

?

In this article I walk through configuring the subnet that the network will operate on, as well as making sure each component of the network gets an IP address. pfSense will function as the DHCP server. Lets do it!

?

Step 1: Open the VirtualBox Manager

?

Step 2: Double click the power button on your pfSense virtual machine

?

?Give it some time to run its boot up scripts. When its done it will look something like this:

?

?Step 3: Notice that on this menu you see a bunch of options starting at 0 and going all the way to 16. In this step we need to setup our LAN interface, because the LAN interface is the interface that the rest of our virtual machines will reach out to to get a DHCP IP address, so we need to punch in number "2" where it says "Enter an option." Then press Enter

?

Note: you have to click your mouse pointer on the VM window in order to type in anything to a VM, but your mouse pointer will disappear when you do so and you won't be able to move it away from the VM window to use it on your host machine. To get your mouse pointer back, press the right "Ctrl" button to make your mouse pointer reappear.

?

?Once you press Enter, you'll see an interface menu that says "Available interfaces:"? It should show the WAN interface as "em0" and the LAN interface as "em1." If it doesn't, that's ok, just remember what yours says to avoid confusion. Here is what it may look like:

?

?Step 4: Notice that at the bottom of our current command line, it says "Enter the number of the interface you wish to configure:" In this instance, our LAN interface is what we want to configure, so need to punch in the number 2, and then press Enter

?

?

You'll be presented with an option that says "Configure IPv4 address LAN interface via DHCP? (y/n)" we will want to type in "n" and then press Enter

Next, we will be asked to punch in the LAN IPv4 address. Punch in 172.16.0.1. When it asks for a subnet mask bit count, punch in "24," then press Enter

?

It will then ask to either punch in an IPv4 upstream gateway address or press Enter for none. In our case, we punch in <ENTER> for none.

?

?When it asks to configure IPv6 address LAN, punch in "n" and press Enter

?

?

Step 5: When it asks "Do you want to enable the DHCP server on LAN?" type "y" and press Enter

?

Step 6: It will ask you to punch in the start address of the IPv4 client address range. Since the router is at 172.16.0.1, naturally lets start off our clients at 172.16.0.2, then press Enter. Then, it will ask for the end address of the IPv4 client address range. Following normal subnetting procedures, since our subnet mask is 24, the end of our subnet client range should be 172.16.0.254. Lets enter "172.16.0.254" and press Enter.

?

?

Step 7: When it asks "Do you want to revert to HTTP as the webConfigurator protocol (y/n) type "n" and press Enter because it will then default to HTTPS instead, which is more secure.

?

?

After pressing Enter. It will provide the IP address that we can use to access the Web GUI, which will provide us with an easier way to configure the router/firewall. Press Enter once you read the message

?

?

After the configuration process finishes up, it will take us back to the main menu. Check it out! It now shows the LAN IP set up with the range that we punched in. Nice work!

?

?Now we are going to transition to getting the two Linux virtual machines (VMs) connected to the router so that they can ping each other AND so that they can access the Internet. Lets do this!

?

Step 8: Start up your Ubuntu Linux VM and login

?

?

Once you login, check the network status indicator (that’s not an official Linux term, its just what I call it). If you see the icon that I show in the upper right corner, then you probably have an IP address for your Ubuntu VM! That’s a good thing.

?

?

?

Lets double check to make extra sure though. Go ahead and open a terminal and type in "ip a" and press Enter. If the result you get shows an IP address in the 172.16.0.1/24 range, perfect!

?

?

Lets also see if the vm can reach the Internet. Go ahead and open the firefox web browser and try to go to a website other than Google. I tried the Center for Internet Security website and was able to access it.

?

Step 9: Repeat step 8 to check for connectivity with the Linux Mint VM that we installed in a previous article. As you see in the below images, my vm was able to get an IP and access the Internet. I was able to access the National Institute of Standards and Technology (NIST) website.

?

?

Now we have established internet connectivity, but what about connectivity in the LAN? Lets test that next.

?

Step 10: Pull up both Linux VMs and then try to ping one from the other and vice versa. If the pings are successful, then you have fully set up the network (as far as the PCs and the firewall goes anyway).

By the way, once you ping one of the vms, the ping operation won't stop on its own, so after you get 3-5 successful received pings, press ctrl+C to stop the ping operation. If your screen looks anything like the two images below, then you have successfully pinged each VM from the other VM. Awesome!

?

Since our virtual LAN includes a Wazuh server, lets get Wazuh an IP address as well to wrap things up.

?

Step 11: Go back to Oracle VirtualBox Manager and click on Wazuh. Then click the settings icon within the VirtualBox Manager because we need to adjust the network settings for Wazuh first.

?

?

Step 12: Once you get into settings, click Network, then click Adapter 2, then click the checkbox next to "Enable Network Adapter." Lastly, click "Attached to:" and click on "Internal Network." Make sure "intnet" is in the "Name" field. Once you do all of these steps, the settings should look like this:

?

?

?Click "OK" to save the settings.

?

Step 13: Next, double click on the power button next to Wazuh to start up the Wazuh VM. Login using the default credentials when asked to do so. Once you login, it will run a few scripts to get itself fully up and running. Give it a few moments.

?

The next few steps are a little interesting, because to get Wazuh's main features up and running, we actually need to login to the Web GUI. The Web GUI needs to reach out to Wazuh's main servers to get any API setup/upgrade operations done.

Once the Web GUI completes that step, we are actually going to change some network settings to match the two Linux PCs so that the Wazuh server is within the same subnet. I'll break it down step by step:

?

Step 14: First, we need to get the IP address of the Wazuh server because we need that IP address to access the Web GUI. Once the Wazuh VM is working, go to the command line and type in "ip a" and take note of the ip address. In the below image I point out around where you can find it. As expected, the Wazuh server was able to get an IP address that is within the 172.16.0.1/24 subnet. Very nice!

?

?

Step 15: You can do this next step in either of your Linux vms, but me, I'll use my Ubuntu machine for this. Open Firefox on your Linux VM of choice and then punch in the IP address of your Wazuh server. You'll be presented with the below Warning screen. That’s normal, nothing is wrong. Simply Click on Advanced, then scroll down and click "Accept the Risk and Continue."

?

?

?

?

If it works, you'll be presented with a Wazuh login like you see below:

?

?

Step 16: type in "admin" for the username and "admin" in the password field, and press Enter:

?

Wazuh will run through a few checks to get the Web GUI fully up and running. If the login is successful, you'll see something like the image below

?

?

?

That is all we will do for this tutorial but we almost have the lab fully set up. The only other things we need to do are deploy the Wazuh Agents to the PCs and set up pfSense to forward syslogs to Wazuh.

I really hope that this article provided you value. If you feel like it did, feel free to share it with someone who think will appreciate it as well. As always, if you have/had any issues with these processes, please comment and let me know and I will do all that I can to assist. Thanks so much! You are amazing!

?

Have a lovely day!