Skip to main content

SecurityOnion on a netbook with port mirroring on WRT54g

So firstly, this quick blog post is for Scott Runnels as he asked for it, I suppose that's what you get for saying you'll help out on an open source project :) All good!

I'd a spare Dell netbook (8gb disk, 2gb ram & 1.6gb Intel Atom CPU) lying around so I figured I'd see if I could try running Security Onion off it.
As you'll know by now (from posts here and on my HackEire blog) I think the Security Onion is fantastic and unsurprisingly, it runs well on my little netbook as you can see from the screenshot below, which was taken whilst the port mirroring was enabled and there were people browsing the net and watching content via Netflix. Bro seems to be heaviest on the system but with a run queue average (any time I've looked) around 1, I'm not concerned and I don't believe there's anything to worry about (I need to play with 'bro' as I've heard great things about it).


So the more interesting aspect was now that I had my netbook converted to a fully-fledged NSM (Network Security Monitoring) device, how could I get traffic routing through it. Spanning a port on a switch seemed like the easy way but if you've read my HackEire NSM blog post, I don't always go for the easy option. Therefore, I figured I'd have a go at performing port mirroring on a Linksys WRT54g wireless router running Tomato. I had a look around at possible ways (from the basic to the complex) but couldn't see how it could be done, maybe using the 'mangle' switch in iptables to redirect or something.

A bit of Google-Fu later and I found something on the PaulDotCom mailing list, which seemed promising  and I eventually came to here, which confirmed that it was possible with iptables but that I needed small modification. The poster 'SirMeowmix_III' does a fantastic job and takes credit for essentially solving my issue but to quickly summarise what I did -
  • I set up a 192.168.5.0/24 network where 192.168.5.217 was a client, 192.168.5.199 the default gateway and 192.168.5.220 was my netbook running Security Onion.
  • As per SirMeowmix_III's post, I modified iptables on the router. With the Tomato routing software, from version 1.24+, there is the ipt_ROUTE modification, which enables the -j ROUTE and --tee functionality. Run the following from the cli -
    • /sbin/modprobe ipt_ROUTE

  • As detailed in the Netfilter site (by Cédric de Launois), 'ROUTE' enables my router to receive the packet and route it towards an interface or a host. In my case, I'm using it with the '-tee' switch, which results in the packet being copied but the original packet traverses through the router as normal and undisturbed by my new iptables rules.
    • /usr/sbin/iptables -t mangle -I PREROUTING -i eth0 -j ROUTE --gw 192.168.5.220 --tee
    • /usr/sbin/iptables -t mangle -I POSTROUTING -j ROUTE --gw 192.168.5.220 --tee -d ! 192.168.5.0/24
         where 192.168.5.0/24 network is the internal network and 192.168.5.220 is the netbook.
  • I created a test rule such that all icmp traffic resulted in a snort alert -
    • alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: ICMP Testing; sid: 4000001; rev: 1;)
          to ensure things traffic was both flowing and being redirected as expected.
  • I then ran some simple ICMP traffic as well as performing some (HTTP) web browsing, as can be seen by the Sguil screenshots (from the Security Onion installation) below - 

Web-browsing


Successful ICMP Alerts

ICMP Testing alerts seen in the "Real-Time Events" section of Sguil


and below in the detailed packet data, we see the ICMP traffic from my client to the default gateway


Comments

Popular posts from this blog

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: http://half-bakedbaker.blogspot.ie/2009/11/cannoli-and-broken-computer.html As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a...

LinkedIn Emails

Receiving mails via LinkedIn is an interesting experience. For example, how many folk actually personalise "contact requests" - from what I see, less than 1%. I typically try to because I think it shows some thought has gone into the request and it's friendly, but then "manners" on the Internet is a very different thing to the real world, right ;-) Anyway, to the point of the blog post. In early November (2012), whilst I was preparing my Security Onion presentation for IrissCon  (why did I bother when my MBP died on-stage), I received a very interesting and personal email via LinkedIn. The email came from a "Senior International Belief Instigator" (let's call him the SIBI - to save me typing) at Riot Games and the email was literally awesome, it hit many of the key points that you'd hope for in a recruiter email but it also had a wonderful tone. In my ignorance, I knew of League of Legends but not Riot (yes, I am embarrassed by that). I r...

WAF versus DPI Firewall

This is a question, I've frequently been asked in recent years and in the last month, o n one of the internal mailing lists, in my old company, the following question was posted – In simple terms, what tasks is a Web Application Firewall (WAF) able to do that a Deep Inspection Firewall can't and why ? by one of my colleagues. Many of you may be surprised (I know I was initially) but this question still comes up an awful lot. Having answered the email (as a warning, I went into a lot of detail and plugged the awesome Security Onion ), I was requested to write a technical blog on the subject, but as I left the company soon after, the blog was never published. Therefore, to save me answering the question again, I thought I’d publish it so I can just reference the link in future J