In this module

NF1.2 VM Setup and Linux Preparation

10 hours · Module 1 · Free

What you already know

You've installed Linux before — either for the IR/LX courses on this platform or in your own lab. This sub covers the specific configuration choices that matter for a network sensor: minimal installation, NTP, package prerequisites, and interface preparation. If you already have an Ubuntu 24.04 VM, skip to the prerequisites section.

Operational Objective

A sensor VM that's configured like a desktop workstation wastes resources and introduces unnecessary attack surface. A sensor needs: a minimal OS installation, accurate time synchronisation, the right kernel headers for packet capture libraries, and a clean network configuration that separates the management interface (for SSH and updates) from the capture interface (for traffic observation).

This sub walks through the Ubuntu installation and post-install configuration specific to the sensor role. If you already have an Ubuntu 24.04 VM, skip the installation section and start at "Post-Installation Configuration."

Deliverable: A configured Ubuntu 24.04 VM with NTP synchronised, kernel headers installed, build prerequisites in place, and the system ready for Zeek and Suricata installation in NF1.3 and NF1.5.

Estimated completion: 45 minutes (including installation time)

Figure NF1.2 — The sensor VM setup sequence. Steps 1-2 are standard Ubuntu installation. Steps 3-4 are sensor-specific configuration. Step 5 creates a snapshot you can restore to if anything goes wrong during tool installation.

Ubuntu Installation

If you already have an Ubuntu 24.04 VM, skip to "Post-Installation Configuration." This section covers the installation choices specific to the sensor role.

Create the VM with the specifications from NF1.1: 2 CPU cores, 4 GB RAM, 40 GB disk (thin provisioned), one NAT network adapter. Attach the Ubuntu 24.04 LTS ISO and boot.

During the Ubuntu installer, the key choices for a sensor VM are the installation type (minimal for server, or standard desktop if you want the Wireshark GUI), the hostname (use something descriptive like nf-sensor — you'll reference this in investigation notes), and the user account (a standard account with sudo access — don't use root directly).

For the disk layout, use the default guided partitioning. The sensor doesn't need custom partitioning unless you're planning to store large PCAP files separately, which isn't necessary for the course lab.

After installation completes, log in and verify network connectivity:

ping -c 3 8.8.8.8
ping -c 3 archive.ubuntu.com

If both succeed, your NAT adapter is working and you have internet access for package installation.

Post-Installation Configuration

These steps prepare the system for Zeek and Suricata. Run them in order — the later steps depend on earlier ones.

Step 1 — System update

Update all packages and reboot to ensure you're running the latest kernel. Zeek and Suricata build against kernel headers, so the running kernel must match the installed headers.

sudo apt update && sudo apt upgrade -y
sudo reboot

After reboot, verify the kernel version:

uname -r

Record this version — you'll need it if you troubleshoot capture interface issues later.

Step 2 — Time synchronisation

Install and configure chrony for NTP. This is the most critical system configuration for a sensor — NF0.9 covered why.

sudo apt install -y chrony

Verify chrony is synchronised:

chronyc sources -v

The output shows your NTP sources with their synchronisation status. At least one source should show * (selected) or + (good candidate). The offset should be under 10 milliseconds. If all sources show ? (unreachable), check your network configuration — the NAT adapter needs to allow outbound NTP (UDP port 123).

To verify the system clock is accurate:

timedatectl

Confirm System clock synchronized: yes and NTP service: active. If NTP service is not active, enable it:

sudo timedatectl set-ntp true

Step 3 — Build prerequisites

Install the packages required to build and run Zeek and Suricata:

sudo apt install -y build-essential cmake make gcc g++ flex bison \
  libpcap-dev libssl-dev python3 python3-dev python3-pip swig \
  zlib1g-dev libmagic-dev libjson-c-dev libjansson-dev \
  libyaml-dev libpcre2-dev rustc cargo pkg-config \
  net-tools curl wget git ethtool jq

This installs the compilers, packet capture libraries, cryptographic libraries, and utility tools that Zeek and Suricata need. The specific packages:

libpcap-dev provides the packet capture API that both tools use. libssl-dev provides TLS parsing libraries. python3-dev is required for Zeek's scripting language bindings. ethtool is used to configure the capture interface. jq processes JSON-format logs.

Verify the key libraries are installed:

dpkg -l | grep -E "libpcap-dev|libssl-dev|python3-dev"

All three should show ii (installed).

Step 4 — Kernel headers

Install the kernel headers matching your running kernel. These are required for AF_PACKET and other capture mechanisms:

sudo apt install -y linux-headers-$(uname -r)

Verify:

ls /usr/src/linux-headers-$(uname -r)/

You should see the kernel build directory with Makefile, include/, and other build artifacts.

Step 5 — Create working directories

Create the directory structure for Zeek logs, Suricata logs, and PCAP storage:

sudo mkdir -p /opt/sensor/{zeek-logs,suricata-logs,pcap,lab-packs}
sudo chown -R $USER:$USER /opt/sensor/

This keeps all sensor data in one location (/opt/sensor/) rather than scattered across the filesystem. When you need to check disk usage or back up the sensor data, it's in one place.

Step 6 — Snapshot

Take a VM snapshot now. Label it "Pre-tool-install — Ubuntu configured, NTP, prerequisites." If anything goes wrong during Zeek or Suricata installation, you can restore to this clean state rather than reinstalling Ubuntu.

In VMware Workstation: VM → Snapshot → Take Snapshot. In VirtualBox: Machine → Take Snapshot. In Hyper-V: right-click VM → Checkpoint.

Guided Procedure — Verify System Readiness for Zeek and Suricata

Step 1. Verify NTP synchronisation is working.

Expected output: `chronyc sources` shows at least one source with `*` status. `timedatectl` shows `System clock synchronized: yes`. Offset under 10ms.

If chrony shows no sources: Check DNS resolution (`dig pool.ntp.org`). If DNS fails, your NAT adapter may not have a DNS server configured. Check `/etc/resolv.conf` or run `resolvectl status`.

Step 2. Verify libpcap is installed and functional.

Expected output: `dpkg -l libpcap-dev` shows version 1.10+ installed. `tcpdump --version` runs without error (tcpdump depends on libpcap).

If tcpdump isn't installed: `sudo apt install -y tcpdump`. tcpdump is essential for sensor validation and troubleshooting capture issues.

Step 3. Verify the working directory structure exists.

Expected output: `ls -la /opt/sensor/` shows zeek-logs/, suricata-logs/, pcap/, lab-packs/ directories owned by your user.

If permissions are wrong: `sudo chown -R $USER:$USER /opt/sensor/`. Zeek and Suricata need write access to these directories.

Step 4. Download a test PCAP for validation.

Expected output: Download a small sample PCAP from the course lab packs page or from malware-traffic-analysis.net. Save it to `/opt/sensor/pcap/test-capture.pcap`. You'll use this in NF1.7 for sensor validation.

If the download fails: Verify internet connectivity (`ping 8.8.8.8`). If the NAT adapter works for ping but not HTTP, check if a proxy is configured on the VM or host.

Decision point

Your Ubuntu installation offers two options: Desktop (with GUI) or Server (CLI only). For the sensor role, which do you choose?

Desktop adds approximately 2 GB of disk usage and 200-400 MB of RAM overhead. It also installs a graphical display manager, NetworkManager, and numerous desktop applications. The GUI isn't required for Zeek or Suricata — both are command-line tools. But Wireshark's GUI is used extensively in NF3-NF7 for PCAP analysis.

Server is leaner and more production-appropriate. You can install Wireshark separately (sudo apt install wireshark) and use X11 forwarding to display the GUI on your host machine. But X11 forwarding adds complexity and latency.

For the course lab, Desktop is recommended — the Wireshark GUI is used frequently enough that the convenience outweighs the overhead. For a production sensor, Server is appropriate because the sensor's job is to capture and parse, not to run Wireshark.

Compliance Myth: "You need to harden the sensor OS before deploying it"

You should harden a production sensor — disable unnecessary services, configure host-based firewall rules, restrict SSH access. But hardening the lab sensor before you've installed and validated the tools is premature optimization that can cause troubleshooting confusion.

Build the sensor first. Validate that Zeek and Suricata work correctly. Confirm your logs are being generated. Then harden. If you lock down SSH, disable services, and tighten firewall rules before installation, you'll spend time debugging connectivity issues that are hardening-induced rather than tool-related.

The production hardening checklist is covered in NF1.9 (Sensor Maintenance). For the lab, a default Ubuntu installation with a strong password and SSH key authentication is sufficient.

NF1.3 — Zeek Installation and Configuration. Your VM is ready. NF1.3 installs Zeek from the official repository, configures the node, and runs your first offline PCAP analysis.

echo "=== SENSOR READINESS CHECK ==="
echo "Kernel: $(uname -r)"
echo "NTP: $(chronyc tracking | grep 'Leap status')"
echo "libpcap: $(dpkg -l libpcap-dev 2>/dev/null | grep '^ii' | awk '{print $3}')"
echo "tcpdump: $(tcpdump --version 2>&1 | head -1)"
echo "python3: $(python3 --version)"
echo "gcc: $(gcc --version | head -1)"
echo "Sensor dir: $(ls /opt/sensor/ 2>/dev/null || echo 'MISSING')"
echo "Disk free: $(df -h / | tail -1 | awk '{print $4}')"
echo "RAM: $(free -h | grep Mem | awk '{print $2}')"

Try it: Verify your complete system readiness

Setup. Your Ubuntu VM with all post-installation steps completed.

Task. Run the following verification script and confirm all checks pass:

Expected result. All lines show valid output. Disk free should be at least 20 GB. RAM should be at least 4 GB. No lines should show "MISSING" or error messages.

Debugging branch. If libpcap shows empty: sudo apt install -y libpcap-dev. If NTP shows "Not synchronised": wait 5 minutes and recheck — chrony takes time to synchronise after installation. If disk free is low: delete unnecessary packages with sudo apt autoremove.

Checkpoint — before moving on

1. Verify that chrony is synchronised and system time is accurate to within 10ms. (§ Step 2 — Time synchronisation)

2. Confirm that libpcap-dev, libssl-dev, and python3-dev are installed — these are prerequisites for both Zeek and Suricata. (§ Step 3 — Build prerequisites)

3. Verify the /opt/sensor/ directory structure exists and is writable by your user. (§ Step 5 — Create working directories)

Operational Artifact — Sensor VM Build Checklist

Ubuntu installation. Version: 24.04 LTS. Type: Desktop (lab) or Server (production). Hostname: descriptive (e.g., nf-sensor). Disk: 40 GB minimum (lab), calculate from retention requirements (production).

System update. sudo apt update && sudo apt upgrade -y && sudo reboot. Verify kernel matches headers: uname -r should match ls /usr/src/linux-headers-*.

NTP. Installed: chrony. Verified: chronyc sources shows synchronised source. System clock: timedatectl confirms System clock synchronized: yes. This is non-negotiable — every timestamp in every log depends on it.

Prerequisites. All build tools and libraries installed per the apt install command in Step 3. Verified: dpkg -l libpcap-dev libssl-dev python3-dev all show ii.

Directories. /opt/sensor/ with subdirectories: zeek-logs, suricata-logs, pcap, lab-packs. Owned by sensor user, not root.

Snapshot. Taken after all configuration, before tool installation. Label: "Pre-tool-install."

Extended reference — sizing guidelines, hardening checklist, and production vs lab differences

VM sizing guidelines. Lab and production have different requirements.

For the NF course lab, the following is enough: 4 vCPU, 8 GB RAM, 40 GB disk. This handles PCAP replay, Zeek and Suricata against moderate-size samples, and the validation script.

For production, sizing follows monitored-link capacity and retention.

- 1 Gbps monitored link, 30-day retention. 8 vCPU, 16 GB RAM, 500 GB disk for logs plus 100 GB for system. - 10 Gbps monitored link, 30-day retention. 16-24 vCPU, 32-64 GB RAM, 2-5 TB disk. - 40 Gbps or higher. Dedicated capture hardware (Napatech, Endace) plus multiple sensor nodes behind a packet broker.

The disk is the most often-undersized resource. Zeek logs compress well (70% with gzip) but the raw write rate is typically 10-50 GB per day per Gbps of monitored traffic. A 10 Gbps link generating 500 GB of logs per day needs 15 TB for 30 days, not the 500 GB the junior engineer first estimated.

Sensor hardening checklist. The sensor holds investigation evidence. Anyone who compromises it can alter or destroy that evidence. Treat it as a Tier 0 asset.

- Minimal attack surface. No web UI running on the sensor (manage from a separate admin host over SSH). No email client. No web browser. Only the capture and analysis binaries plus SSH. - Restricted inbound access. Firewall allows SSH only from admin subnets. Capture interface in its own VLAN with no outbound routing. - Separate capture and management interfaces. Capture interface sees the SPAN/TAP traffic; management interface handles admin access and log forwarding. The capture interface should have no IP address — it's purely receive-only. - No password SSH. Key-based authentication only. Admin keys rotated on standard lifecycle. - Audit logging. auditd configured to log all command execution, privilege changes, and access to /opt/sensor/. Audit logs forwarded off-host to the SIEM. - Integrity monitoring. AIDE or Tripwire monitoring of /etc, /opt/sensor/bin, and the Zeek/Suricata binaries. Any unexpected change is alerted on. - No writable network shares. The sensor should not mount any NFS/CIFS shares. Log forwarding is one-way outbound only.

Why the directory layout matters. /opt/sensor/ rather than /etc/zeek/ or similar convention has specific reasoning.

One, it's a single tree for everything the sensor does — config, logs, scripts, validation output. Easier to back up (one directory), easier to monitor (one directory to track disk usage), easier to hand off between teams (one place to point someone).

Two, it's separate from OS-managed paths. OS upgrades and package updates don't touch /opt/sensor/ (unless you explicitly install packages there), so sensor state survives OS maintenance.

Three, it's a predictable convention across sensor fleets. When you have 20 sensors, every one having the same /opt/sensor/ tree means a single script works across all of them.

Production vs lab differences summarised. The NF1 instructions work for both but a few items differ.

- Lab uses desktop Ubuntu (convenience); production uses server Ubuntu (smaller attack surface). - Lab uses a single interface (capture and management combined); production uses separate interfaces. - Lab VM is a workstation-hosted VMware/VirtualBox guest; production is a bare-metal server or enterprise hypervisor (vSphere, KVM). - Lab skips integrity monitoring and audit logging; production requires both. - Lab retention is days; production is 30-90+ days depending on policy.

Nothing in NF1 is wrong for production — but the production deployment adds the hardening, sizing, and monitoring layers above on top of the lab baseline.

Alternative Linux distributions. The course uses Ubuntu because Zeek and Suricata packages are well-maintained. Alternatives in production use:

- RHEL / Rocky / AlmaLinux. The Security Onion project builds on this family; good for RHEL-shop environments. Slightly more work to install Zeek from source. - Debian. Equivalent to Ubuntu for this purpose; some admins prefer the more conservative release cadence. - FreeBSD. Used by some BSD-native shops for its network stack performance; significantly more work to deploy Zeek and Suricata.

For the NF course, Ubuntu 24.04 LTS is the recommended baseline. Deviating from the baseline means reconciling installation steps with your distro's package names and service management. It's worth it only if your organization has a strong distro preference.

You've built the sensor and mapped the evidence landscape.

NF0 established why network evidence matters when every other source is compromised. NF1 built your Zeek + Suricata sensor with the 10 investigation query patterns. From here, every module teaches protocol-specific investigation against real attack scenarios.

DNS deep dive (NF3) — tunnelling detection, DGA analysis, passive DNS infrastructure mapping, and the INC-NE-2026-0227 AiTM phishing DNS trail
Protocol analysis (NF4–NF7) — HTTP/HTTPS, SMB lateral movement, SSH tunnelling, and email protocol investigation with Zeek metadata and PCAP
Detection and hunting (NF8–NF11) — Suricata rule writing, C2 beacon detection with JA3, NetFlow analytics, and proactive network threat hunting
NSM architecture (NF13) — production sensor deployment at 1–10 Gbps with Arkime, Security Onion, and enterprise storage planning
INC-NE-2026-0830 capstone (NF14) — multi-stage investigation using only network evidence: phishing → domain-fronted C2 → lateral movement → DNS tunnel exfiltration

Unlock the full course with Premium See Full Syllabus

Cancel anytime

← Previous Next →