User:Mhavela: Difference between revisions
(→ACF) |
(Notes on hotwo monitor a computer using snort and bridged nics) |
||
| Line 1: | Line 1: | ||
= Monitor traffic using Snort and bridged nics = | |||
== Prepare == | |||
=== Hardware === | |||
Hardware used in this example: | |||
* Computer with 1 nic | |||
* Switch that handles vlan | |||
* A computer that would be analyzed | |||
=== Setup analyzer/snort box === | |||
Sets up standard settings - But '''''skip''''' nic-settings | |||
setup-alpine | |||
Sets up and start webconf | |||
setup-webconf | |||
Install needed packages | |||
apk_add bridge-utils | |||
apk_add acf-snort | |||
Because we will use vlan's in this example, we need to install vlan support | |||
modprobe 8021q | |||
=== Switch setup === | |||
We need to configure vlans on the ports | |||
* Port X = Untagged=vlan1 | |||
* Port Y = Untagged=vlan1, Tagged=vlan2 | |||
* Port Z = Untagged=vlan2 | |||
Attach equipment into each port | |||
* Port X = Gateway for the 'infected' box | |||
* Port Y = Analyzer/Snort box | |||
* Port Z = The 'infected' box | |||
== Configure == | |||
Configure bridge. /etc/conf.d/bridge would look like this: | |||
BRIDGES="br0=eth0+eth0.2" | |||
Add vlan2 to nic | |||
vconfig add eth0 2 | |||
In our case we have a dhcp running on the system, so we configure br0 to get a lease (edit /etc/network/interfaces file) | |||
auto br0 | |||
iface br0 inet dhcp | |||
Start bridge | |||
/etc/init.d/bridge start | |||
Bring up bridge | |||
ifup br0 | |||
Start snort | |||
/etc/init.d/snort start | |||
Revision as of 15:14, 8 September 2008
Monitor traffic using Snort and bridged nics
Prepare
Hardware
Hardware used in this example:
- Computer with 1 nic
- Switch that handles vlan
- A computer that would be analyzed
Setup analyzer/snort box
Sets up standard settings - But skip nic-settings
setup-alpine
Sets up and start webconf
setup-webconf
Install needed packages
apk_add bridge-utils apk_add acf-snort
Because we will use vlan's in this example, we need to install vlan support
modprobe 8021q
Switch setup
We need to configure vlans on the ports
- Port X = Untagged=vlan1
- Port Y = Untagged=vlan1, Tagged=vlan2
- Port Z = Untagged=vlan2
Attach equipment into each port
- Port X = Gateway for the 'infected' box
- Port Y = Analyzer/Snort box
- Port Z = The 'infected' box
Configure
Configure bridge. /etc/conf.d/bridge would look like this:
BRIDGES="br0=eth0+eth0.2"
Add vlan2 to nic
vconfig add eth0 2
In our case we have a dhcp running on the system, so we configure br0 to get a lease (edit /etc/network/interfaces file)
auto br0 iface br0 inet dhcp
Start bridge
/etc/init.d/bridge start
Bring up bridge
ifup br0
Start snort
/etc/init.d/snort start