Skip to main content

SecurityOnion on a netbook with port mirroring on WRT54g

So firstly, this quick blog post is for Scott Runnels as he asked for it, I suppose that's what you get for saying you'll help out on an open source project :) All good!

I'd a spare Dell netbook (8gb disk, 2gb ram & 1.6gb Intel Atom CPU) lying around so I figured I'd see if I could try running Security Onion off it.
As you'll know by now (from posts here and on my HackEire blog) I think the Security Onion is fantastic and unsurprisingly, it runs well on my little netbook as you can see from the screenshot below, which was taken whilst the port mirroring was enabled and there were people browsing the net and watching content via Netflix. Bro seems to be heaviest on the system but with a run queue average (any time I've looked) around 1, I'm not concerned and I don't believe there's anything to worry about (I need to play with 'bro' as I've heard great things about it).

So the more interesting aspect was now that I had my netbook converted to a fully-fledged NSM (Network Security Monitoring) device, how could I get traffic routing through it. Spanning a port on a switch seemed like the easy way but if you've read my HackEire NSM blog post, I don't always go for the easy option. Therefore, I figured I'd have a go at performing port mirroring on a Linksys WRT54g wireless router running Tomato. I had a look around at possible ways (from the basic to the complex) but couldn't see how it could be done, maybe using the 'mangle' switch in iptables to redirect or something.

A bit of Google-Fu later and I found something on the PaulDotCom mailing list, which seemed promising  and I eventually came to here, which confirmed that it was possible with iptables but that I needed small modification. The poster 'SirMeowmix_III' does a fantastic job and takes credit for essentially solving my issue but to quickly summarise what I did -
  • I set up a network where was a client, the default gateway and was my netbook running Security Onion.
  • As per SirMeowmix_III's post, I modified iptables on the router. With the Tomato routing software, from version 1.24+, there is the ipt_ROUTE modification, which enables the -j ROUTE and --tee functionality. Run the following from the cli -
    • /sbin/modprobe ipt_ROUTE

  • As detailed in the Netfilter site (by C├ędric de Launois), 'ROUTE' enables my router to receive the packet and route it towards an interface or a host. In my case, I'm using it with the '-tee' switch, which results in the packet being copied but the original packet traverses through the router as normal and undisturbed by my new iptables rules.
    • /usr/sbin/iptables -t mangle -I PREROUTING -i eth0 -j ROUTE --gw --tee
    • /usr/sbin/iptables -t mangle -I POSTROUTING -j ROUTE --gw --tee -d !
         where network is the internal network and is the netbook.
  • I created a test rule such that all icmp traffic resulted in a snort alert -
    • alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: ICMP Testing; sid: 4000001; rev: 1;)
          to ensure things traffic was both flowing and being redirected as expected.
  • I then ran some simple ICMP traffic as well as performing some (HTTP) web browsing, as can be seen by the Sguil screenshots (from the Security Onion installation) below - 


Successful ICMP Alerts

ICMP Testing alerts seen in the "Real-Time Events" section of Sguil

and below in the detailed packet data, we see the ICMP traffic from my client to the default gateway


Popular posts from this blog

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a

Start-Up Security

After many years in Security @ Riot Games and eventually putting the "s' out there, I recently decided to jump out of my comfort circle for a new challenge and joined a   start-up   (yes, I left a comfortable, stable job in a pandemic, lunacy lol). Now that I've been here almost 6 months, I wanted to share some findings because security at a start-up is significantly different.  When you join a start-up, there's going to be so much that you can do and it will be incredibly easy to "boil the ocean", and try to fix everything. At best, this guarantees failure for the Security team, at worst, alienation from the engineering and product teams. There are some obvious quick wins that a Security team can make without slowing down iteration and innovation speed, while also reducing risk: Auth  Partner with Engineering/IT/CTO such that there's alignment on Security owning all things "auth(n|z)".  As part of this ownership, you need to be prepared to resp

What's the point of (InfoSec) Certifications?

Quite recently, my GSE was up for renewal. I'm currently in the middle of transporting my family to another continent and I've slightly more responsibilities work-wise in 2016 versus 2012. However, given the effort and study that it took to get the cert the first time (and to a lesser degree the expense), I figured it was a no-brainer to renew. For me, I've always been a huge fan of the GSE and considered it the epitome of InfoSec certifications, much like the CCIE for (Cisco) networking. Personally, I learn better by "doing" and consider it as the evidence that someone knows their stuff so the "2-day lab" element in the GSE was a both a huge goal and challenge that I was excited about. I talked about the value of "doing" when trying to learn about yourself previously here with the infamous Security Ninja and here on my own blog so there's no point in repeating myself. When I did the GSE, I absolutely loved the hands-on lab mo