Poorboy setup (home user, no tap, span)

[Jason C. Rochon]

Hi all,

I'm practicing my security skills at home. I have two servers from college in my home and their is only my AT&T 3600HGV Router. I do not want to buy a Tap yet.
Is there a way to build this without purchasing any hardware. I do not mind putting this in front of my firewall/router/dmz, as I would like to see all traffic for educational research.

I understand the simple solution in the $40 Tap, but I really don't want to spend my food money :-)

[Jeremy Hoel]

If have a switch that has a span port, you could use that instead of a tap.  And depending on the software on the router/wap, it might give you the ability to span/monitor traffic and that might give you something.

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Jason C. Rochon]

I'm looking for this spanning option on my AT&T Router and not finding any luck.
I wonder if I could use a software program for spanning/tap. Would IPTables work?

Jason

[Fieldy]

I believe your options are:

1) Run SecurityOnion in standalone mode in a VM. Run another nested VM product in that (NOTE: vmware can do nested VMs. Nothing else I know of can. So you use one product for SO, and another on the inside). The inner one uses NAT so it's forced to go through SO. Let the "that's really hacky" flames begin, but it has worked for me.

2) I know you said no hardware, but for about usd$20 you can build a hardware tap. This is what I'm using right now and it works great. You may already have a lot of the parts, or be able to find them: http://www.instructables.com/id/Make-a-Passive-Network-Tap/

[Jason C. Rochon]

Carp Sandwiches !!!
I just realized there is no span port on my DSL Router. I would have built the passive tap from peices in the college's network connectors.

Does anyone know if its possible to Tap DSL RJ-11? Do I need a way to convert RJ-11 to RJ-45?

Once the DSL RJ-11 connects to the router the signal cannot be sniffed? Or just not the wireless traffic?

I want to Tap the DSL directly from the RJ-11 cable so that I get both wireless and ethernet.

Thanks responders for your ideas.

[Vivek Rajagopalan]

If you have two ethernet interfaces you can try creating a linux bridge on the SO box. 

Can you tell us a bit about the hardware at your disposal ? You have 2 servers and the router. Where do you plan to run Security Onion ? I think you may need another box here.

[Doug Burks]

Hi Jason,

Replies inline.

On Sun, Aug 25, 2013 at 10:46 PM, Jason C. Rochon
<jason.c...@gmail.com> wrote:
> Carp Sandwiches !!!
> I just realized there is no span port on my DSL Router. I would have built the passive tap from peices in the college's network connectors.

I don't recommend building a tap. The instructions linked to
previously would only give you one side of the conversation. If
you're going to build a DIY tap, it needs to sniff both sides of
the conversation and will therefore have TWO tap outputs that you
would then have to combine back together using TWO NICs and Linux
bridging. To avoid this complexity, we recommend that folks purchase
one of the inexpensive tap options listed here:
https://code.google.com/p/security-onion/wiki/Hardware

FYI, we'll be giving away a Dualcomm Tap at BSides Augusta:
http://bsidesaugusta.org/

> Does anyone know if its possible to Tap DSL RJ-11? Do I need a way to convert RJ-11 to RJ-45?
>
> Once the DSL RJ-11 connects to the router the signal cannot be sniffed? Or just not the wireless traffic?
>
> I want to Tap the DSL directly from the RJ-11 cable so that I get both wireless and ethernet.

I don't think you can tap DSL like this.

If you're not able to purchase any additional equipment, your best bet
may just be to practice replaying the included pcaps in /opt/samples/.


--
Doug Burks
http://securityonion.blogspot.com

[Michal Purzynski]

On 8/25/13 7:57 PM, Jeremy Hoel wrote:

If have a switch that has a span port, you could use that instead of a tap.  And depending on the software on the router/wap, it might give you the ability to span/monitor traffic and that might give you something.

That's actualy what I do in home, intercepting on a span port most of the traffic. Works well, from time to time you might overflow the port but oh well, should happen only during a large transfer or similar.

[Michal Purzynski]

>> Does anyone know if its possible to Tap DSL RJ-11? Do I need a way to convert RJ-11 to RJ-45?
>>
>> Once the DSL RJ-11 connects to the router the signal cannot be sniffed? Or just not the wireless traffic?
>>
>> I want to Tap the DSL directly from the RJ-11 cable so that I get both wireless and ethernet.
> I don't think you can tap DSL like this.

Doug is (as usual ;) right. Taping a DSL is a difficult thing, and done
with expensive hardware.

I'd just go with a RJ45 side, using something like this

http://routerboard.com/RB250GS

should be easy enough to find on the ebay or similar. The model isn't
made anymore, but there's another one, with similar price and same
possibilities.

[Jason C. Rochon]

> Can you tell us a bit about the hardware at your disposal ? You have 2 servers and the router. Where do you plan to run Security Onion ? I think you may need another box here.

I have two generic twin boxes, with P4, 2GB, 500GB
Onion-1 = 1 on-board NIC
Onion-2 = 1 on-board NIC, 1 Intel NIC

AT&T U-Verse comes with DSL Router: 3600HGV
RJ-11 from wall to router, then RJ-45 out on 4 ports

[Jason C. Rochon]

Doug, would you think this would be easier if I just borrowed a wireless card from the college warehouse, put it on one of my servers, or both servers having wireless snort sniffers?

I can authenticate to my Wireless DSL Router, in which we have an old laptop that my wife uses.

I could monitor her wireless laptop for intrusions or data leaks, or spamming.

[Jason C. Rochon]

I'm curious if I could re-pin my DSL RJ-11 wire into a RJ-45 tip?

This would concern me in a couple ways:
1.) Signal degraded: AT&T breaks permanently, until rewired back to original spec.
2.) Is DSL routable directly from the wall through a device Doug recommended? I could re-pin the DSL RJ-11 into a RJ-45 tip, then plug into the switch, and have the data spanned or mirrored into my server's RJ-45, and re-pin the RJ-45 coming out of the switch back into an RJ-11 for my AT&T DSL Router.

P.S. I attached a drawing for simplicity.

~ Jason

[Michal Purzynski]

No, you cannot do this. The DSL signal is a very complicated matter,
it's a "make data and electric signals look like a sound, transform them
into another set of electric signals, ship, restore data on the other
end". Not that easy at all. All you could do from tapping the RJ11 is
listening to some funny noises (i.e. your data ;).

I can see two ways here - up to you:

1. more expensive and time consuming. Build a simple but proper network.
Use the DSL box as a L2 bridge only. That's what I do here. You would
need to turn one of the boxes into a router, which could actually be a
nice access point for your wifi, too (just throw in a supported wifi
card). Install something like a Vyatta or literally any other Linux /
BSD on it and have fun. Use a separate switch to connect what you have.

2. cheaper, easy option. Buy that mikrotik or whatever else with a
working span port. Connect your DSL's RJ45 port to that switch and
connect all your gear to the mikrotik. Configure the span port on the
mikrotik.

You really can't mirror the DSL traffic using a home equipment.

[Jon]

One method is to scrounge a 100 Mbit Hub which many places are tossing/recycling. I've picked up several small 4 port hubs for free that a company was getting rid of. I can insert them into a wired network and sniff the traffic at that point since a hub sends all traffic it sees to all connected ports. The 10/100 switching HUBS will work for this as well as long as all the connections plugged into it are the same speed (all 10Mbps or all 100 Mbps).
Of course this won't work with gigabit or higher, and will slow down a highly utilized 100 Mbps with collisions, but otherwise it works fine.
Another thing you could do is use the PC with 2 NICs and configure Linux bridging between them so you can insert it into the wired network between your router and any other PCs and it will act as a transparent tap.

Jon

[Jason C. Rochon]

Sorry, I know my drawing has already been answered.

I'm thinking about the switch. In which, if I ever swap out DSL for Comcast, all my network components become normal. DSL is the issue, but it was cheapest. I don't see upgrading, breaking my deal/contract just for that.

I know I can work with a tcpdump and replay, but I would like to work with live data in real time.
Which leads to my final question...

Can I setup Security Onion, standalone with a NIC and a Wireless Card to sniff wireless.
Will all the tools work? Snort, Snorby, Bro, etc?

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/nJYacIiKDjY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

[Doug Burks]

On Mon, Aug 26, 2013 at 6:58 PM, Jason C. Rochon
<jason.c...@gmail.com> wrote:
> Sorry, I know my drawing has already been answered.
>
> I'm thinking about the switch. In which, if I ever swap out DSL for Comcast,
> all my network components become normal. DSL is the issue, but it was
> cheapest. I don't see upgrading, breaking my deal/contract just for that.
>
> I know I can work with a tcpdump and replay, but I would like to work with
> live data in real time.
> Which leads to my final question...
>
> Can I setup Security Onion, standalone with a NIC and a Wireless Card to
> sniff wireless.
> Will all the tools work? Snort, Snorby, Bro, etc?

I'm not sure that will give you the results you're looking for.

How about the following?

- Find another wifi router to connect all your wired/wireless devices
to. You may already have an extra one laying around. If not, you can
find used and even new models very reasonably priced.

- Connect the new wifi router's uplink port to your sniffing
infrastructure. If you can afford a $40 tap, that's the easiest way
to go and will save you lots of time and heartache. If not, you can
install an additional NIC in Onion-2, giving it a total of 3
interfaces, 1 for management, 1 to connect to the new router, and 1 to
connect to the DSL router. You'd need to configure Linux to bridge
the two router interfaces. There are many guides on the Internet for
that and it's beyond the scope of this mailing list. But keep in mind
that if your SO box breaks, then so does your (and your wife's)
Internet traffic. So I would really recommend the $40 tap for your
peace of mind! :)

- Connect your sniffing infrastructure to your DSL router.

- In the end, it would look something like this:

wired/wireless clients --> new wifi router --> sniffing infrastructure
--> DSL router --> Internet

Doug

[Matt Gregory]

But keep in mind that if your SO box breaks, then so does your (and your wife's) Internet traffic.

Wise man once say, separate your home lab from your home "production" network...your marriage will thank you ;)

Matt

--

You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

[Jason C. Rochon]

Thanks everyone for the help.

I'm going to try and see if the college has some old wifi routers that are not needed ...

I talked to the Director of Networking, and he explained a lot to me, so he is my new best friend on this science project :D

Thanks, again.