Skip to main content

SecurityOnion on a netbook with port mirroring on WRT54g

So firstly, this quick blog post is for Scott Runnels as he asked for it, I suppose that's what you get for saying you'll help out on an open source project :) All good!

I'd a spare Dell netbook (8gb disk, 2gb ram & 1.6gb Intel Atom CPU) lying around so I figured I'd see if I could try running Security Onion off it.
As you'll know by now (from posts here and on my HackEire blog) I think the Security Onion is fantastic and unsurprisingly, it runs well on my little netbook as you can see from the screenshot below, which was taken whilst the port mirroring was enabled and there were people browsing the net and watching content via Netflix. Bro seems to be heaviest on the system but with a run queue average (any time I've looked) around 1, I'm not concerned and I don't believe there's anything to worry about (I need to play with 'bro' as I've heard great things about it).

So the more interesting aspect was now that I had my netbook converted to a fully-fledged NSM (Network Security Monitoring) device, how could I get traffic routing through it. Spanning a port on a switch seemed like the easy way but if you've read my HackEire NSM blog post, I don't always go for the easy option. Therefore, I figured I'd have a go at performing port mirroring on a Linksys WRT54g wireless router running Tomato. I had a look around at possible ways (from the basic to the complex) but couldn't see how it could be done, maybe using the 'mangle' switch in iptables to redirect or something.

A bit of Google-Fu later and I found something on the PaulDotCom mailing list, which seemed promising  and I eventually came to here, which confirmed that it was possible with iptables but that I needed small modification. The poster 'SirMeowmix_III' does a fantastic job and takes credit for essentially solving my issue but to quickly summarise what I did -
  • I set up a network where was a client, the default gateway and was my netbook running Security Onion.
  • As per SirMeowmix_III's post, I modified iptables on the router. With the Tomato routing software, from version 1.24+, there is the ipt_ROUTE modification, which enables the -j ROUTE and --tee functionality. Run the following from the cli -
    • /sbin/modprobe ipt_ROUTE

  • As detailed in the Netfilter site (by C├ędric de Launois), 'ROUTE' enables my router to receive the packet and route it towards an interface or a host. In my case, I'm using it with the '-tee' switch, which results in the packet being copied but the original packet traverses through the router as normal and undisturbed by my new iptables rules.
    • /usr/sbin/iptables -t mangle -I PREROUTING -i eth0 -j ROUTE --gw --tee
    • /usr/sbin/iptables -t mangle -I POSTROUTING -j ROUTE --gw --tee -d !
         where network is the internal network and is the netbook.
  • I created a test rule such that all icmp traffic resulted in a snort alert -
    • alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: ICMP Testing; sid: 4000001; rev: 1;)
          to ensure things traffic was both flowing and being redirected as expected.
  • I then ran some simple ICMP traffic as well as performing some (HTTP) web browsing, as can be seen by the Sguil screenshots (from the Security Onion installation) below - 


Successful ICMP Alerts

ICMP Testing alerts seen in the "Real-Time Events" section of Sguil

and below in the detailed packet data, we see the ICMP traffic from my client to the default gateway


Popular posts from this blog

MongoDB Authori(s|z)ation

Introduction Having answered numerous questions on the new and old authori(s|z)ation within MongoDB, I thought I'd write a short blog post explaining how things work as there seems to be some confusion. What's New Prior to version 2.4 , there was a very basic sense of "Role Based Access Controls" (RBAC) within MongoDB as there were only two roles - read readWrite which is quite limited. For example, if the user has "readWrite", that user is essentially "root" and the user can add/remove users as well as inserting data into the database, i.e. there is no role segregation. Version 2.4 added in the following 3 core roles - userAdmin dbAdmin clusterAdmin with a notable extension such that there are now 4 roles that apply across all databases - readAnyDatabase readWriteAnyDatabase userAdminAnyDatabase dbAdminAnyDatabase This increased RBAC is a significant improvement from a security perspective in MongoDB. It is imp

Eurotash GSE

So I'd the pleasure of talking with Chris John Riley, from Eurotrash , on the night of Sunday, July 1st (yes, Chris isn't a football fan so I good-heartedly missed the half-time discussion of Spain's titi-taka brillance). Chris wanted to chat with me about my experience sitting the GIAC GSE exam and lab earlier this year. As always, I thoroughly enjoyed chatting with Chris and I hope it's not too painful listening to me on the podcast . I don't know much but what I would say is stay hydrated, eat as well as you can, prepare Source: properly and have fun!! There's a reason that the GSE has a low pass rate, so going in relaxed makes a huge difference. Enjoy the podcast and if you've any questions on the GSE, just shout :)

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a