Cannot get port mirroring to work with DDWRT
850 views
Skip to first unread message
Aaron Katz
Jan 31, 2015, 12:28:41 AM1/31/15
to securit...@googlegroups.com
I have securityonion connected to my router directly. My router has DDWRT on it (It is a TP-Link router), but I cannot find a VLAN tab anywhere.
I tried the following:
iptables -s 0.0.0.0 -t mangle -A PREROUTING -j TEE --gateway 192.168.1.147
iptables -s 0.0.0.0 -t mangle -A POSTROUTING -j TEE --gateway 192.168.1.147
where the 192.168.1.147 IP address was the management interface, since the other interface it created did not have an UP.
However, this did not appear to work. I tried doing curl testmyids.com, but Snorby is constantly showing 0 alerts.
What else needs to be done to get securityonion up and running?
I have my modem, connected to my router, which has wireless.
I tried the following:
iptables -s 0.0.0.0 -t mangle -A PREROUTING -j TEE --gateway 192.168.1.147
iptables -s 0.0.0.0 -t mangle -A POSTROUTING -j TEE --gateway 192.168.1.147
where the 192.168.1.147 IP address was the management interface, since the other interface it created did not have an UP.
However, this did not appear to work. I tried doing curl testmyids.com, but Snorby is constantly showing 0 alerts.
What else needs to be done to get securityonion up and running?
I have my modem, connected to my router, which has wireless.
Doug Burks
Jan 31, 2015, 7:16:12 AM1/31/15
to securit...@googlegroups.com
Hi Aaron,
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
For best results, please use a tap or span port that doesn't rely on iptables TEE:
If you absolutely must use iptables TEE, then you can try manually assigning an IP address to your sniffing interface using /etc/network/interfaces, but we can't guarantee or support this.
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Tim Schofield
Nov 4, 2015, 6:19:42 AM11/4/15
to security-onion
In my DD-WRT router I use PPPOE pass thru (to an ADSL modem in bridged mode) so I have a ppp0 interface.
iptables -t mangle -A PREROUTING -i ppp0 -j ROUTE --tee --gw 192.168.1.4
iptables -t mangle -A POSTROUTING -o ppp0 -j ROUTE --tee --gw 192.168.1.4
I also added an arp entry in my dd-wrt for my sec onion's monitoring interfaces mac address, that way you don't need an ip address and the packets get sent to the interface being monitored and not the management interface which is not being monitored.
arp -s 192.168.1.4 52:54:00:38:84:bb
(192.168.1.4 is not assigned to any interface on my network, it is just an unused ip on my subnet)
(replace 52:54:00:38:84:bb with your mac address of your sec onions monitoring interface)
iptables -t mangle -A PREROUTING -i ppp0 -j ROUTE --tee --gw 192.168.1.4
iptables -t mangle -A POSTROUTING -o ppp0 -j ROUTE --tee --gw 192.168.1.4
I also added an arp entry in my dd-wrt for my sec onion's monitoring interfaces mac address, that way you don't need an ip address and the packets get sent to the interface being monitored and not the management interface which is not being monitored.
arp -s 192.168.1.4 52:54:00:38:84:bb
(192.168.1.4 is not assigned to any interface on my network, it is just an unused ip on my subnet)
(replace 52:54:00:38:84:bb with your mac address of your sec onions monitoring interface)
Reply all
Reply to author
Forward
0 new messages