Configure security onion to monitor LAN and WAN traffic in home lab

3,366 views
Skip to first unread message

Idris A

unread,
Mar 4, 2014, 3:12:27 PM3/4/14
to securit...@googlegroups.com
Can anyone provide guidance on how to configure security onion to monitor LAN and WAN traffic in a home lab environment? I currently have a DD-wrt router and a ESXi host for VMs. I want to be able to see what type of traffic is hitting my external facing IP and what type of traffic is happening in my internal network.

Matt Gregory

unread,
Mar 4, 2014, 5:13:50 PM3/4/14
to securit...@googlegroups.com
Hi Idris,

You'll need to either configure your DD-WRT router to mirror the ports you want to monitor to the port where your SO sniffing interface is connected, or use a tap, to get the traffic you want to monitor to SO.  Have you seen any of the following links:

http://eyeis.net/2012/08/helping-the-seekers-how-to-place-security-onion/
https://groups.google.com/forum/#!msg/security-onion/cPyd0dDdjF0/6gl7ezhL7EIJ
https://code.google.com/p/security-onion/wiki/Hardware (see "Packets" section)

Richard Bejtlich's book "The Practice of Network Security Monitoring" is also a good place to start if you are new to NSM concepts.

Is your SO box one of the VMs on your ESXi host?  If so, that will affect your sniffing setup.  If you can describe your topology in more detail, we can provide some more specific answers.

Matt


On Tue, Mar 4, 2014 at 3:12 PM, Idris A <idrisa...@gmail.com> wrote:
Can anyone provide guidance on how to configure security onion to monitor LAN and WAN traffic in a home lab environment? I currently have a DD-wrt router and a ESXi host for VMs. I want to be able to see what type of traffic is hitting my external facing IP and what type of traffic is happening in my internal network.

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

Idris A

unread,
Mar 5, 2014, 10:38:34 AM3/5/14
to securit...@googlegroups.com
Hi Matt,

No I have not looked at those links but I will look into them. In regards to using a tap, would it be better to iptables on the router? Would I need to to configure two different SO instance to monitor the LAN and WAN traffic? Yes the SO box is a VM on my ESXi host.

Matt Gregory

unread,
Mar 5, 2014, 9:05:18 PM3/5/14
to securit...@googlegroups.com
In regards to using a tap, would it be better to iptables on the router?

iptables is an interface to the Linux kernel firewall, which won't server the purpose you need.  You need to configure port mirroring to copy traffic from the ports you want to monitor to the port where your SO sniffing interface is connected.  I don't know if DD-WRT supports port mirroring.


Would I need to to configure two different SO instance to monitor the LAN and WAN traffic?

You would need one sniffing interface to monitor the WAN side and one or more sniffing interfaces to monitor the LAN side (depending on how many segments you want to monitor).  You may want to focus just on the LAN side to start; monitoring the WAN is going to inundate you with traffic that may not matter or even make it past your firewall.

Yes the SO box is a VM on my ESXi host.

You can configure multiple sniffing interfaces in a standalone SO installation.  Since your SO box is in ESXi, you'll need at least one physical interface to which to connect SO's virtual management interface, and one physical interface to which to connect SO's virtual sniffing interface.  Depending on your physical topology, you may need more than one physical interface for sniffing.  The links I posted earlier have information on this issue.

Matt


Doug Burks

unread,
Mar 6, 2014, 7:28:25 AM3/6/14
to securit...@googlegroups.com
On Wed, Mar 5, 2014 at 9:05 PM, Matt Gregory <mgg...@gmail.com> wrote:
>> In regards to using a tap, would it be better to iptables on the router?
>
>
> iptables is an interface to the Linux kernel firewall, which won't server
> the purpose you need. You need to configure port mirroring to copy traffic
> from the ports you want to monitor to the port where your SO sniffing
> interface is connected. I don't know if DD-WRT supports port mirroring.

To clarify, iptables does have a --tee option that can be used to
forward traffic. For example:
http://blog.nobytes.com/2013/01/dd-wrt-network-sniffing.html

However, my personal preference is to use a DualComm tap. Others like
Microtik switches:
https://code.google.com/p/security-onion/wiki/Hardware#Packets

Netavarka Suraksa

unread,
Mar 6, 2014, 7:31:33 AM3/6/14
to securit...@googlegroups.com
DD-WRT forum claims IPTABLES can do a mirror of the ports. Quote:

"
There's many posts about it if you search. You'll need to add iptables rules to your firewall script on the admin->commands page. Change the IP to be whatever one is monitoring the traffic.

iptables -t mangle -I PREROUTING -i br0 -j ROUTE --gw 192.168.1.10 --tee
iptables -t mangle -I POSTROUTING -o br0 -j ROUTE --gw 192.168.1.10 --tee

If you want to use a VLAN instead then set up VLAN2 and use these.

iptables -t mangle -I PREROUTING -i br0 -j ROUTE --oif vlan2 --tee
iptables -t mangle -I POSTROUTING -o br0 -j ROUTE --oif vlan2 --tee
"

Some relevant info from IPTABLES man page:

   PARAMETERS
       The following parameters make up a rule specification (as used  in  the
       add, delete, insert, replace and append commands).

       -i, --in-interface [!] name
              Name  of  an interface via which a packet was received (only for
              packets entering the  INPUT,  FORWARD  and  PREROUTING  chains).

       -o, --out-interface [!] name
              Name of an interface via which a packet is going to be sent (for
              packets  entering  the  FORWARD, OUTPUT and POSTROUTING chains).

   ROUTE
       This  is  used  to explicitly override the core network stack’s routing
       decision.  mangle table.

       --gw IP_address
              Route the packet via this gateway

       --tee  Make a copy of the packet, and route that copy to the given des-
              tination. For the original, uncopied packet, behave like a  non-
              terminating target and continue traversing the rules.  Not valid
              in combination with ‘--iif’ or ‘--continue’

Matt Gregory

unread,
Mar 6, 2014, 12:10:55 PM3/6/14
to securit...@googlegroups.com
I stand corrected on iptables!  Maybe I was thinking of Little Bobby Tables ;)
 
Matt

--

Idris A

unread,
Mar 6, 2014, 3:56:04 PM3/6/14
to securit...@googlegroups.com
Matt/Doug/Netavarka,

Thanks for all the information. I am going to use the information y'all gave me and the documents Matt provide to plan how I want to implement SO and how I may want to change how my network infrastructure is laid out! After doing this, I will let y'all know how it turns out
Reply all
Reply to author
Forward
0 new messages