How To Set Up Traffic Mirroring To Security Onion

62 views
Skip to first unread message

Zsolt Bicskey

unread,
Apr 29, 2020, 10:28:31 AM4/29/20
to qubes...@googlegroups.com

I am building a lab inside QubesOS. I have two gateways, two firewalls. Behind the pentest-firewall I want all machines to see each other. Since I have both Win and Linux machines and for simplicity's sake I am doing this from the firewall.

On top of this I have a Security Onion running to capture all traffic internal to internal and internal to external. I have PolarProxy installed on it to decrypt HTTPS traffic (https://www.netresec.com/?page=Blog&month=2020-01&post=Sniffing-Decrypted-TLS-Traffic-with-Security-Onion)


This rule opens up all internal communication on the pentest-firewall:

iptables -I FORWARD -i vif+ -o vif+ -j ACCEPT

These rules should forward all HTTPS to the Security Onion:

iptables -A FORWARD -i eth0 -d 10.137.0.24 -p tcp --dport 10443 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.137.0.24:10443

iptables -t nat -A POSTROUTING -o eth0 -d 10.137.0.24 -p tcp --dport 10443 -j MASQUERADE

Important IPs/Details:

SecurityOnion 10.137.0.24

Security Onion interface eth0

Firewall IP: 10.137.0.6

QUESTION

How can I set up full traffic mirroring to that Security Onion machine? It's easy with a physical switch but I cannot make it work with iptables. Please help.




publickey - letmereadit@protonmail.com - 0xEE010E73.asc
signature.asc

Aret

unread,
Apr 30, 2020, 2:09:03 PM4/30/20
to Zsolt Bicskey, qubes...@googlegroups.com

Hi,

Duknow if make actual sense on Qubes, but i used the following successfully on XenServer/XCP-ng, inbound traffic is not visible to SecurityOnion otherwise as originally targetting the tapped network from my understanding:

https://blog.rootshell.be/2013/09/09/xenserver-port-mirroring/

Hope that helps,

Peace!

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78x2nonu3gggbCdEbEiYRDG03EeDX0TS7Uhd9wSTMo_FAf3wjmjIfP6i4Q8sKu5EmRxoKE-FsaLckb0zt_eOQGrtfC-ASPdg3r1hi8Oyepo%3D%40protonmail.com.

Zsolt Bicskey

unread,
May 1, 2020, 4:19:16 PM5/1/20
to Aret, qubes...@googlegroups.com
Duknow if make actual sense on Qubes, but i used the following successfully on XenServer/XCP-ng, inbound traffic is not visible to SecurityOnion otherwise as originally targetting the tapped network from my understanding:

https://blog.rootshell.be/2013/09/09/xenserver-port-mirroring/

Hope that helps,

Peace!

This information didn't really help me to solve the problem.


publickey - letmereadit@protonmail.com - 0xEE010E73.asc
signature.asc

Zsolt Bicskey

unread,
May 4, 2020, 2:21:03 PM5/4/20
to Zsolt Bicskey, Aret, qubes...@googlegroups.com
Does anyone have some creative ideas how I could mirror all traffic on this subnet into the SecurityOnion HVM?
publickey - letmereadit@protonmail.com - 0xEE010E73.asc
signature.asc
Reply all
Reply to author
Forward
0 new messages