Configure security onion to monitor LAN and WAN traffic in home lab
3,366 views
Skip to first unread message
Idris A
Mar 4, 2014, 3:12:27 PM3/4/14
to securit...@googlegroups.com
Can anyone provide guidance on how to configure security onion to monitor LAN and WAN traffic in a home lab environment? I currently have a DD-wrt router and a ESXi host for VMs. I want to be able to see what type of traffic is hitting my external facing IP and what type of traffic is happening in my internal network.
Matt Gregory
Mar 4, 2014, 5:13:50 PM3/4/14
to securit...@googlegroups.com
Hi Idris,
You'll need to either configure your DD-WRT router to mirror the ports you want to monitor to the port where your SO sniffing interface is connected, or use a tap, to get the traffic you want to monitor to SO. Have you seen any of the following links:
http://eyeis.net/2012/08/helping-the-seekers-how-to-place-security-onion/
https://groups.google.com/forum/#!msg/security-onion/cPyd0dDdjF0/6gl7ezhL7EIJ
https://code.google.com/p/security-onion/wiki/Hardware (see "Packets" section)
Richard Bejtlich's book "The Practice of Network Security Monitoring" is also a good place to start if you are new to NSM concepts.You'll need to either configure your DD-WRT router to mirror the ports you want to monitor to the port where your SO sniffing interface is connected, or use a tap, to get the traffic you want to monitor to SO. Have you seen any of the following links:
http://eyeis.net/2012/08/helping-the-seekers-how-to-place-security-onion/
https://groups.google.com/forum/#!msg/security-onion/cPyd0dDdjF0/6gl7ezhL7EIJ
https://code.google.com/p/security-onion/wiki/Hardware (see "Packets" section)
On Tue, Mar 4, 2014 at 3:12 PM, Idris A <idrisa...@gmail.com> wrote:
Can anyone provide guidance on how to configure security onion to monitor LAN and WAN traffic in a home lab environment? I currently have a DD-wrt router and a ESXi host for VMs. I want to be able to see what type of traffic is hitting my external facing IP and what type of traffic is happening in my internal network.
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.
Idris A
Mar 5, 2014, 10:38:34 AM3/5/14
to securit...@googlegroups.com
Hi Matt,
No I have not looked at those links but I will look into them. In regards to using a tap, would it be better to iptables on the router? Would I need to to configure two different SO instance to monitor the LAN and WAN traffic? Yes the SO box is a VM on my ESXi host.
No I have not looked at those links but I will look into them. In regards to using a tap, would it be better to iptables on the router? Would I need to to configure two different SO instance to monitor the LAN and WAN traffic? Yes the SO box is a VM on my ESXi host.
Matt Gregory
Mar 5, 2014, 9:05:18 PM3/5/14
to securit...@googlegroups.com
In regards to using a tap, would it be better to iptables on the router?
iptables is an interface to the Linux kernel firewall, which won't server the purpose you need. You need to configure port mirroring to copy traffic from the ports you want to monitor to the port where your SO sniffing interface is connected. I don't know if DD-WRT supports port mirroring.
Would I need to to configure two different SO instance to monitor the LAN and WAN traffic?
You would need one sniffing interface to monitor the WAN side and one or more sniffing interfaces to monitor the LAN side (depending on how many segments you want to monitor). You may want to focus just on the LAN side to start; monitoring the WAN is going to inundate you with traffic that may not matter or even make it past your firewall.
Yes the SO box is a VM on my ESXi host.
You can configure multiple sniffing interfaces in a standalone SO installation. Since your SO box is in ESXi, you'll need at least one physical interface to which to connect SO's virtual management interface, and one physical interface to which to connect SO's virtual sniffing interface. Depending on your physical topology, you may need more than one physical interface for sniffing. The links I posted earlier have information on this issue.
Matt
Matt
Doug Burks
Mar 6, 2014, 7:28:25 AM3/6/14
to securit...@googlegroups.com
On Wed, Mar 5, 2014 at 9:05 PM, Matt Gregory <mgg...@gmail.com> wrote:
>> In regards to using a tap, would it be better to iptables on the router?
>
>
> iptables is an interface to the Linux kernel firewall, which won't server
> the purpose you need. You need to configure port mirroring to copy traffic
> from the ports you want to monitor to the port where your SO sniffing
> interface is connected. I don't know if DD-WRT supports port mirroring.
To clarify, iptables does have a --tee option that can be used to
>> In regards to using a tap, would it be better to iptables on the router?
>
>
> iptables is an interface to the Linux kernel firewall, which won't server
> the purpose you need. You need to configure port mirroring to copy traffic
> from the ports you want to monitor to the port where your SO sniffing
> interface is connected. I don't know if DD-WRT supports port mirroring.
forward traffic. For example:
http://blog.nobytes.com/2013/01/dd-wrt-network-sniffing.html
However, my personal preference is to use a DualComm tap. Others like
Microtik switches:
https://code.google.com/p/security-onion/wiki/Hardware#Packets
Netavarka Suraksa
Mar 6, 2014, 7:31:33 AM3/6/14
to securit...@googlegroups.com
DD-WRT forum claims IPTABLES can do a mirror of the ports. Quote:
"
There's many posts about it if you search. You'll need to add iptables rules to your firewall script on the admin->commands page. Change the IP to be whatever one is monitoring the traffic.
iptables -t mangle -I PREROUTING -i br0 -j ROUTE --gw 192.168.1.10 --tee
iptables -t mangle -I POSTROUTING -o br0 -j ROUTE --gw 192.168.1.10 --tee
If you want to use a VLAN instead then set up VLAN2 and use these.
iptables -t mangle -I PREROUTING -i br0 -j ROUTE --oif vlan2 --tee
iptables -t mangle -I POSTROUTING -o br0 -j ROUTE --oif vlan2 --tee
"
Some relevant info from IPTABLES man page:"
There's many posts about it if you search. You'll need to add iptables rules to your firewall script on the admin->commands page. Change the IP to be whatever one is monitoring the traffic.
iptables -t mangle -I PREROUTING -i br0 -j ROUTE --gw 192.168.1.10 --tee
iptables -t mangle -I POSTROUTING -o br0 -j ROUTE --gw 192.168.1.10 --tee
If you want to use a VLAN instead then set up VLAN2 and use these.
iptables -t mangle -I PREROUTING -i br0 -j ROUTE --oif vlan2 --tee
iptables -t mangle -I POSTROUTING -o br0 -j ROUTE --oif vlan2 --tee
"
PARAMETERS
The following parameters make up a rule specification (as used in the
add, delete, insert, replace and append commands).
-i, --in-interface [!] name
Name of an interface via which a packet was received (only for
packets entering the INPUT, FORWARD and PREROUTING chains).
-o, --out-interface [!] name
Name of an interface via which a packet is going to be sent (for
packets entering the FORWARD, OUTPUT and POSTROUTING chains).
ROUTE
This is used to explicitly override the core network stack’s routing
decision. mangle table.
--gw IP_address
Route the packet via this gateway
--tee Make a copy of the packet, and route that copy to the given des-
tination. For the original, uncopied packet, behave like a non-
terminating target and continue traversing the rules. Not valid
in combination with ‘--iif’ or ‘--continue’
Matt Gregory
Mar 6, 2014, 12:10:55 PM3/6/14
to securit...@googlegroups.com
I stand corrected on iptables! Maybe I was thinking of Little Bobby Tables ;)
Matt
--
Idris A
Mar 6, 2014, 3:56:04 PM3/6/14
to securit...@googlegroups.com
Matt/Doug/Netavarka,
Thanks for all the information. I am going to use the information y'all gave me and the documents Matt provide to plan how I want to implement SO and how I may want to change how my network infrastructure is laid out! After doing this, I will let y'all know how it turns out
Thanks for all the information. I am going to use the information y'all gave me and the documents Matt provide to plan how I want to implement SO and how I may want to change how my network infrastructure is laid out! After doing this, I will let y'all know how it turns out
Reply all
Reply to author
Forward
0 new messages