Welcome to the SOC Lab 👋

This lab is designed for Users with no technical or cybersecurity background. You do not need to know programming, hacking, or networking to complete this lab.

You will be guided step by step to run a simple security lab on your own computer and understand what a Security Operations Center (SOC) does in the real world.

What Is a SOC? (Simple Explanation)

A Security Operations Center (SOC) is like a security control room for computers and networks.

Think of it like:

CCTV cameras watching a building
Security guards checking alerts
Staff responding when something looks suspicious

In this lab, you will observe how systems are monitored, not attack anything yourself.

Instructions (Non-Technical)

What You Need Before Starting

A personal computer (Windows / macOS / Linux)
Docker/Podman installed
Internet connection (for setup only)

You do not need programming or cybersecurity knowledge.

Lab Architecture Diagram (Simple View)

+------------------------+
|  User's Computer    |
|                        |
|  +------------------+  |
|  |  SOC Lab System  |  |
|  |  (Docker)        |  |
|  |                  |  |
|  |  +------------+  |  |
|  |  | Web App    |<----- User accesses
|  |  +------------+  |  |
|  |          |        |  |
|  |          v        |  |
|  |  +------------+  |  |
|  |  | Logs Folder|-----> Activity recorded
|  |  +------------+  |  |
|  |          |        |  |
|  |          v        |  |
|  |  +------------+  |  |
|  |  | SOC View   |  |  |
|  |  | (Alerts)   |  |  |
|  |  +------------+  |  |
|  |                  |  |
|  +------------------+  |
|                        |
+------------------------+

Project Name: SOC Lab

This project sets up a Security Operations Center (SOC) lab environment using Podman Compose. The setup includes multiple containers for monitoring, testing, and exploiting vulnerabilities in a web application. It’s designed to help you learn about security operations, penetration testing, and monitoring techniques in a controlled lab environment.

Folder Structure Explained

SOC-Lab/
├── docker-compose.yml   → Starts/Stops the lab
├── Dockerfile.kali      → A testing environment (pre-built)
├── .env                 → Simple settings (do not edit)
├── logs/                → Where activity is recorded
├── README.md            → Instructions

Services

1. Splunk Server Container (Monitoring and Data Aggregation)

This container runs Splunk (using the official image) to collect, analyze, and visualize logs. It’s used to monitor all activities in the lab environment.

Purpose: Centralized log management and analysis.
Based on official splunk/splunk image.
Starts with environment variables for configuration.
Ports: Make sure you map the relevant ports for Splunk to access the web interface (usually 8000).
Exposes ports:
- 8000: Splunk Web UI
- 8088: HTTP Event Collector
- 8089: Management API
- 9997: Forwarder input

Connected to lab-net network.

2. Kali Linux Container (Attacker Node)

This container runs Kali Linux, a Debian-based Linux distribution designed for penetration testing. It contains numerous tools for discovering and exploiting vulnerabilities.

Purpose: Used for attacking and testing the vulnerabilities in the DVWA container.
Tools: Includes tools like Metasploit, Burp Suite, Nmap, and more.
Networking: Connects to the same network as the DVWA and Splunk containers to simulate an attack on the vulnerable web app.
Custom Kali container with pre-installed tools.
Runs in privileged mode with network capabilities (NET_ADMIN, NET_RAW).
Interactive shell via /bin/bash.
Connected to lab-net network.

3. DVWA Container (Vulnerable Web Application)

DVWA (Damn Vulnerable Web Application) is a PHP/MySQL web application that is intentionally vulnerable. It’s used to practice exploitation techniques and simulate a real-world attack scenario.

Purpose: A vulnerable target for security testing and learning.
Setup: You can configure different vulnerability levels in the DVWA application to practice various types of attacks (e.g., SQL injection, XSS, etc.).
Based on vulnerables/web-dvwa.
Exposes Apache logs to host via ./logs/www-logs.
MySQL and DVWA preconfigured with default credentials.
Ports: The web application should be accessible on a mapped port (usually 80).
Connected to lab-net network.

4. Splunk Forwarder Container (Optional)

The Splunk Forwarder is an optional container that can forward logs from other systems (like Kali Linux or DVWA) to the main Splunk server.

Purpose: Forward logs from other containers to the Splunk server for centralized log analysis.
Setup: Only deploy if you need additional log forwarding capabilities.

Getting Started

⚙️ Prerequisites

Before starting the SOC Lab, make sure you have one of the following options installed on your computer.

Option 1: Use Podman (Recommended)

Install Podman
👉 https://podman.io/docs/installation
Install Podman Compose
👉 https://podman-desktop.io/docs/compose/setting-up-compose
A .env file containing the Splunk admin password
(This will be provided by your instructor — do not share it)

Option 2: Use Docker (Alternative)

Install Docker Desktop
👉 https://www.docker.com/products/docker-desktop/
Docker Compose (included with Docker Desktop)
A .env file containing the Splunk admin password
(This will be provided by your instructor — do not share it)

Important Notes

You only need one option: Podman or Docker
You do not need to understand the tools — just follow the steps
Do not edit the .env file unless instructed

Setup

Create the Podman network:

podman network create --driver=bridge  --subnet=10.30.0.0/24 --gateway=10.30.0.1 lab-net

Verify Cybersecurity Lab Network

    podman network inspect lab-net
        or
    podman network ls

🔐 Environment Variables Create a .env file:

COMPOSE_PROJECT_NAME=sochomelab
SPLUNK_PASSWORD=YourSecurePassword
SPLUNK_START_ARGS=--accept-license

Start/Stop the services using Podman Compose:

Lab UP
```
    podman compose --file .\docker-compose.yml up --detach
```
Lab DOWN
```
    podman compose -f .\docker-compose.yml down
```
This will stop the containers and clean up any persistent data.

This will pull the necessary images and start all the containers.

Podman Networks

The containers are connected via a bridge network (lab-net), which allows them to communicate with each other.

Network Name: lab-net
Driver: bridge
External Network: This allows the containers to communicate even when the external network is configured.

Podman Volumes

The following volumes are used to persist data across container restarts:

splunk-data: Persists data for Splunk logs.
dvwa-data: Persists data for the DVWA database and settings.

🔍 Accessing the Services

Splunk: Open your browser and go to http://localhost:8000 to access the Splunk dashboard.
DVWA: Open your browser and go to http://localhost:80 to access the DVWA application. Log in with the default credentials (admin/password).
Kali Linux: To interact with the Kali Linux container, you can either connect to it via SSH or use podman exec to get a terminal.
```
podman exec -it kali-container-name bash
```

🛠️ Troubleshooting

If something does not work, don’t panic — this is common.

Lab Does Not Start

Problem: The command does nothing or shows errors
Try this:
- Make sure Docker or Podman is running
- Restart Docker/Podman and try again
- Run the command from inside the SOC-Lab folder
Splunk is not loading: Ensure the ports are mapped correctly and there is no firewall blocking the connections.
DVWA login fails: Try resetting the DVWA database via the DVWA interface or the backend.
Still Stuck?
- Take a screenshot of the error
- Copy the error message
- Ask your instructor

🔐 Security Note

This lab is not intended for production use. It intentionally contains vulnerable software and runs privileged containers. Use in isolated environments only.

Rules for User (Very Important)

- This lab is *educational only*
- Never use tools on *real systems*
- Never test websites you don’t own
- Safe and **isolated on your own computer**
- Cybersecurity is about defense and awareness
- Cybersecurity is about **protection**, not harm.

How to Customize

Feel free to modify the port mappings and environment variables for each container based on your local setup or specific needs. You may also want to tweak the docker-compose.yml file for additional configuration, such as changing the web application’s vulnerability level or adding additional services.

Key Differences for Podman vs Docker:

docker -> podman: Replace docker with podman in all command examples.
docker-compose -> podman-compose: Use podman-compose instead of docker-compose to manage multi-container environments.

License

This project is licensed under the MIT License.