|
|
| (18 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| = Monitor traffic using Snort and bridged nics = | | = Work in progress docs = |
| == Prepare ==
| | * Nothing at the moment |
| === Hardware ===
| |
| Hardware used in this example:
| |
| * Computer with 1 nic
| |
| * Switch that handles vlan
| |
| * A computer that would be analyzed
| |
| === Setup analyzer/snort box === | |
| Sets up standard settings - But '''''skip''''' nic-settings
| |
| setup-alpine
| |
| Sets up and start webconf
| |
| setup-webconf
| |
| Install needed packages
| |
| apk_add bridge-utils
| |
| apk_add acf-snort
| |
| Because we will use vlan's in this example, we need to install vlan support
| |
| modprobe 8021q
| |
| | |
| === Switch setup ===
| |
| We need to configure vlans on the ports
| |
| * Port X = Untagged=vlan1
| |
| * Port Y = Untagged=vlan1, Tagged=vlan2
| |
| * Port Z = Untagged=vlan2
| |
| Attach equipment into each port
| |
| * Port X = Gateway for the 'infected' box
| |
| * Port Y = Analyzer/Snort box
| |
| * Port Z = The 'infected' box | |
| | |
| == Configure ==
| |
| Configure bridge. /etc/conf.d/bridge would look like this:
| |
| BRIDGES="br0=eth0+eth0.2"
| |
| Add vlan2 to nic
| |
| vconfig add eth0 2
| |
| In our case we have a dhcp running on the system, so we configure br0 to get a lease (edit /etc/network/interfaces file)
| |
| auto br0
| |
| iface br0 inet dhcp
| |
| Start bridge
| |
| /etc/init.d/bridge start
| |
| Bring up bridge
| |
| ifup br0
| |
| Start snort
| |
| /etc/init.d/snort start
| |