Skip to main content

SecurityOnion on a netbook with port mirroring on WRT54g

So firstly, this quick blog post is for Scott Runnels as he asked for it, I suppose that's what you get for saying you'll help out on an open source project :) All good!

I'd a spare Dell netbook (8gb disk, 2gb ram & 1.6gb Intel Atom CPU) lying around so I figured I'd see if I could try running Security Onion off it.
As you'll know by now (from posts here and on my HackEire blog) I think the Security Onion is fantastic and unsurprisingly, it runs well on my little netbook as you can see from the screenshot below, which was taken whilst the port mirroring was enabled and there were people browsing the net and watching content via Netflix. Bro seems to be heaviest on the system but with a run queue average (any time I've looked) around 1, I'm not concerned and I don't believe there's anything to worry about (I need to play with 'bro' as I've heard great things about it).


So the more interesting aspect was now that I had my netbook converted to a fully-fledged NSM (Network Security Monitoring) device, how could I get traffic routing through it. Spanning a port on a switch seemed like the easy way but if you've read my HackEire NSM blog post, I don't always go for the easy option. Therefore, I figured I'd have a go at performing port mirroring on a Linksys WRT54g wireless router running Tomato. I had a look around at possible ways (from the basic to the complex) but couldn't see how it could be done, maybe using the 'mangle' switch in iptables to redirect or something.

A bit of Google-Fu later and I found something on the PaulDotCom mailing list, which seemed promising  and I eventually came to here, which confirmed that it was possible with iptables but that I needed small modification. The poster 'SirMeowmix_III' does a fantastic job and takes credit for essentially solving my issue but to quickly summarise what I did -
  • I set up a 192.168.5.0/24 network where 192.168.5.217 was a client, 192.168.5.199 the default gateway and 192.168.5.220 was my netbook running Security Onion.
  • As per SirMeowmix_III's post, I modified iptables on the router. With the Tomato routing software, from version 1.24+, there is the ipt_ROUTE modification, which enables the -j ROUTE and --tee functionality. Run the following from the cli -
    • /sbin/modprobe ipt_ROUTE

  • As detailed in the Netfilter site (by Cédric de Launois), 'ROUTE' enables my router to receive the packet and route it towards an interface or a host. In my case, I'm using it with the '-tee' switch, which results in the packet being copied but the original packet traverses through the router as normal and undisturbed by my new iptables rules.
    • /usr/sbin/iptables -t mangle -I PREROUTING -i eth0 -j ROUTE --gw 192.168.5.220 --tee
    • /usr/sbin/iptables -t mangle -I POSTROUTING -j ROUTE --gw 192.168.5.220 --tee -d ! 192.168.5.0/24
         where 192.168.5.0/24 network is the internal network and 192.168.5.220 is the netbook.
  • I created a test rule such that all icmp traffic resulted in a snort alert -
    • alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: ICMP Testing; sid: 4000001; rev: 1;)
          to ensure things traffic was both flowing and being redirected as expected.
  • I then ran some simple ICMP traffic as well as performing some (HTTP) web browsing, as can be seen by the Sguil screenshots (from the Security Onion installation) below - 

Web-browsing


Successful ICMP Alerts

ICMP Testing alerts seen in the "Real-Time Events" section of Sguil


and below in the detailed packet data, we see the ICMP traffic from my client to the default gateway


Comments

Popular posts from this blog

MongoDB Authori(s|z)ation

Introduction Having answered numerous questions on the new and old authori(s|z)ation within MongoDB, I thought I'd write a short blog post explaining how things work as there seems to be some confusion. What's New Prior to version 2.4 , there was a very basic sense of "Role Based Access Controls" (RBAC) within MongoDB as there were only two roles - read readWrite which is quite limited. For example, if the user has "readWrite", that user is essentially "root" and the user can add/remove users as well as inserting data into the database, i.e. there is no role segregation. Version 2.4 added in the following 3 core roles - userAdmin dbAdmin clusterAdmin with a notable extension such that there are now 4 roles that apply across all databases - readAnyDatabase readWriteAnyDatabase userAdminAnyDatabase dbAdminAnyDatabase This increased RBAC is a significant improvement from a security perspective in MongoDB. It is imp

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: http://half-bakedbaker.blogspot.ie/2009/11/cannoli-and-broken-computer.html As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a

Separate MongoDB Syslog by Facility

In my last post , I showed how you can set up MongoDB v2.2 to syslog its logs off to a remote syslog server. As my `tcpdump` snippets show, the syslog messages hit the syslog server tagged as "user.info", which means that they're assigned to the "user" facility with a severity level of "info". I've received a few questions regarding the possiblity of splitting out syslog messages by facility, however, as everything is currently sent to a "user.info" bucket, so-to-speak, this is not possibility. There is a current feature request for this capability and work will be done on this but if this is important for you, I'd strongly encourage you to vote for this feature. In the meantime, however, (whilst not ideal) you can still do some host filtering with rsyslog as outlined here .