Cybersec tips

Gitlab CI labs

Please find a way to run a CI locally, this is so painful to change, commit, wait, browse 4 different web pages, to see it failed, and restart the loop.

Some projects to consider to do it

• the gitlab runner itself: https://docs.gitlab.com/runner/install/docker/
• another project: https://github.com/firecow/gitlab-ci-local

You have some experience with these tools ? please let us know !!

Snort + Wazuh lab

VMs creation

Don't do like me, please allocate enough disk space to your VMs... Use an external SSD if you don't have enough disk on your machine.

Basic knowledge of Snort

The interfaces are defined to help some configurations files. When you see a snippet of text in the documentation, there is a sometimes are specific menu that also let you configure that with a GUI. The snort.conf file can be edited by some menus instead of typing in the pfsense machine in VI with a qwerty keyboard...

In 2025, we are using Snort 2 (not the latest version 3), the documentation is present here: SNORT Users Manual 2.9.16

The first page you might want to read is Rule headers. The fields you'll need to understand in other pages and use are msg, itype, content, sid, http_header, ...

Network setup

Use a Bridged Adapter on the WAN interface of pfsense ! This is required to send pings on the WAN interface from your host OS. If these pings are not working, this is because you need to add a rule on the pfsense firewall that accept incoming ICMP traffic !

pfsense is a router which has a DHCP server included, you can configure it to provide a coherent IP configuration to connected machines. It have to define a gateway and DNS server to be pfsense, otherwise the Ubuntu VM will either not be able to do LAN ping or even resolve DNS names. To use this DHCP server, you have to disable the one in the Host-Only network provided by Virtualbox.

If you used the Virtualbox's DHCP, that's a bit harder because you'll have to indicate to your Ubuntu VM that the gateway is the pfsense router, of you'll get Network is unreachable errors. You'll also need to configure the DNS server to be your pfsense so you can fully resolve DNS names and access youtube.com.

TODO import schema of lab with the DHCP from pfsense. + config screen for DHCP. TODO: make sure to fix the schema with the DHCP from pfsense not the one from virtualbox.

Troubleshooting

• Make sure you are on the right interface (WAN or LAN) when you configure something. I.e. for a LAN network scan made by Nmap, make sure to scan ports on the LAN IP not the WAN ip if you have configured the LAN interface !
• Make sure you understand the flow of requests. Sending pings from machine A to machine B in the same LAN, doesn't imply the router in the middle...
• Make sure the Snort interfaces are running. If you just created it, it doesn't start automatically, or if some values are not valid in the configurations somwehre, their start can fail.

Feedback loop

Run nmap in loop

This is a basic shell loop, but this is so useful to run them in loop !

while true; sudo nmap -sS -Pn -p1-1000 192.168.56.2; end

Easy way to have autorealoding alerts

Instead of reloading the slow Web UI, directly display the log file behind it. You can enter this command in the pfsense VM under option 8 (shell) or via SSH.

tail -f /var/log/snort/**/alert

Ghidra lab

Make sure the binary is actually working fully before starting the lab ! It was not fully working on Windows 11 VM (because it crashed on a segfault on the Check! button). Switching to a Windows 10 VM solved the issue.

Then make sure your VM running Ghidra has Python + GDB + some pip packages. This is documented in GettingStarted.html you get with the installation zip for Ghidra.

# Make sure these software are installed and in your PATH
python --version
gdb -v
powershell

python -m pip install psutil protobuf Pybag

If you get this error when running the debug in Ghidra

File C:\Users\joe\Desktop\ghidra_12.0_PUBLIC\Ghidra\Debug\Debugger-agent-gdb\data\debugger-launchers\local-gdb.ps1 cannot be loaded. The file 
C:\Users\joe\Desktop\ghidra_12.0_PUBLIC\Ghidra\Debug\Debugger-agent-gdb\data\debugger-launchers\local-gdb.ps1 is not digitally signed.
You cannot run this script on the current system.
For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
    + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess

This is because you need to change the ExecutionPolicy to this

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned

or this one

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass