OpenSOC is a self-hosted cybersecurity homelab project designed to simulate real-world cyber attacks and monitor them using open-source security tools. The goal of this project was to better understand how Security Operations Centers (SOCs) detect, analyze, and respond to suspicious activity within a network environment.
The lab environment was built using Proxmox as the virtualization platform, with pfSense acting as the firewall and network gateway between external and internal networks. Snort was deployed on the pfSense WAN and LAN interfaces to inspect network traffic and generate intrusion detection alerts, while Wazuh was used as the SIEM (Security Information and Event Management) platform for centralized log collection and monitoring.
To test the environment, multiple attack simulations were performed from a Kali Linux attacker machine targeting a Debian endpoint inside the protected network. These attacks included ICMP sweep discovery, Nmap port scanning, and Hydra brute-force attempts. The generated activity was successfully detected and logged by both Snort and Wazuh, demonstrating the effectiveness of combining network-based and host-based monitoring within a SOC environment.
This project was created to gain hands-on experience with network security monitoring, attack detection, SIEM integration, and virtualized lab infrastructure using widely adopted open-source technologies.
Proxmox VE was used as the primary virtualization platform for hosting the entire lab environment. It allowed multiple virtual machines to run on a single physical system while maintaining isolated network segments for both external and internal traffic. The hypervisor hosted the pfSense firewall, Wazuh SIEM server, and Debian victim machine.
pfSense was deployed as the central firewall and gateway between the WAN and LAN networks. It was responsible for managing network traffic, routing, and enforcing segmentation between the attacker and victim environments. The firewall also served as the platform for deploying Snort IDS.
Snort was installed as an intrusion detection system (IDS) plugin on pfSense and configured on both the WAN and LAN interfaces. Its role was to inspect network packets in real time and generate alerts when suspicious or malicious traffic patterns were detected. Snort was used to monitor attack activity such as ICMP sweeps, port scanning, and brute-force attempts.
Snort Installation on Pfsense: