Wednesday, 16 May 2012

SecurityOnion on a netbook with port mirroring on WRT54g

So firstly, this quick blog post is for Scott Runnels as he asked for it, I suppose that's what you get for saying you'll help out on an open source project :) All good!

I'd a spare Dell netbook (8gb disk, 2gb ram & 1.6gb Intel Atom CPU) lying around so I figured I'd see if I could try running Security Onion off it.
As you'll know by now (from posts here and on my HackEire blog) I think the Security Onion is fantastic and unsurprisingly, it runs well on my little netbook as you can see from the screenshot below, which was taken whilst the port mirroring was enabled and there were people browsing the net and watching content via Netflix. Bro seems to be heaviest on the system but with a run queue average (any time I've looked) around 1, I'm not concerned and I don't believe there's anything to worry about (I need to play with 'bro' as I've heard great things about it).


So the more interesting aspect was now that I had my netbook converted to a fully-fledged NSM (Network Security Monitoring) device, how could I get traffic routing through it. Spanning a port on a switch seemed like the easy way but if you've read my HackEire NSM blog post, I don't always go for the easy option. Therefore, I figured I'd have a go at performing port mirroring on a Linksys WRT54g wireless router running Tomato. I had a look around at possible ways (from the basic to the complex) but couldn't see how it could be done, maybe using the 'mangle' switch in iptables to redirect or something.

A bit of Google-Fu later and I found something on the PaulDotCom mailing list, which seemed promising  and I eventually came to here, which confirmed that it was possible with iptables but that I needed small modification. The poster 'SirMeowmix_III' does a fantastic job and takes credit for essentially solving my issue but to quickly summarise what I did -
  • I set up a 192.168.5.0/24 network where 192.168.5.217 was a client, 192.168.5.199 the default gateway and 192.168.5.220 was my netbook running Security Onion.
  • As per SirMeowmix_III's post, I modified iptables on the router. With the Tomato routing software, from version 1.24+, there is the ipt_ROUTE modification, which enables the -j ROUTE and --tee functionality. Run the following from the cli -
    • /sbin/modprobe ipt_ROUTE

  • As detailed in the Netfilter site (by C├ędric de Launois), 'ROUTE' enables my router to receive the packet and route it towards an interface or a host. In my case, I'm using it with the '-tee' switch, which results in the packet being copied but the original packet traverses through the router as normal and undisturbed by my new iptables rules.
    • /usr/sbin/iptables -t mangle -I PREROUTING -i eth0 -j ROUTE --gw 192.168.5.220 --tee
    • /usr/sbin/iptables -t mangle -I POSTROUTING -j ROUTE --gw 192.168.5.220 --tee -d ! 192.168.5.0/24
         where 192.168.5.0/24 network is the internal network and 192.168.5.220 is the netbook.
  • I created a test rule such that all icmp traffic resulted in a snort alert -
    • alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: ICMP Testing; sid: 4000001; rev: 1;)
          to ensure things traffic was both flowing and being redirected as expected.
  • I then ran some simple ICMP traffic as well as performing some (HTTP) web browsing, as can be seen by the Sguil screenshots (from the Security Onion installation) below - 

Web-browsing


Successful ICMP Alerts

ICMP Testing alerts seen in the "Real-Time Events" section of Sguil


and below in the detailed packet data, we see the ICMP traffic from my client to the default gateway


No comments:

Post a Comment