User:Mhavela: Difference between revisions
(Notes on hotwo monitor a computer using snort and bridged nics) |
(Adding notes on howto test HSDPA modem (still just testing)) |
||
| Line 8: | Line 8: | ||
=== Setup analyzer/snort box === | === Setup analyzer/snort box === | ||
Sets up standard settings - But '''''skip''''' nic-settings | Sets up standard settings - But '''''skip''''' nic-settings | ||
setup-alpine | |||
Sets up and start webconf | Sets up and start webconf | ||
setup-webconf | |||
Install needed packages | Install needed packages | ||
apk_add bridge-utils | |||
apk_add acf-snort | |||
Because we will use vlan's in this example, we need to install vlan support | Because we will use vlan's in this example, we need to install vlan support | ||
modprobe 8021q | |||
=== Switch setup === | === Switch setup === | ||
| Line 29: | Line 29: | ||
== Configure == | == Configure == | ||
Configure bridge. /etc/conf.d/bridge would look like this: | Configure bridge. /etc/conf.d/bridge would look like this: | ||
BRIDGES="br0=eth0+eth0.2" | |||
Add vlan2 to nic | Add vlan2 to nic | ||
vconfig add eth0 2 | |||
In our case we have a dhcp running on the system, so we configure br0 to get a lease (edit /etc/network/interfaces file) | In our case we have a dhcp running on the system, so we configure br0 to get a lease (edit /etc/network/interfaces file) | ||
auto br0 | |||
iface br0 inet dhcp | |||
Start bridge | Start bridge | ||
/etc/init.d/bridge start | |||
Bring up bridge | Bring up bridge | ||
ifup br0 | |||
Start snort | Start snort | ||
/etc/init.d/snort start | |||
= Use 'Huawei E220' HSDPA modem with Alpine = | |||
'''Note:''' Don't plug in the modem yet<BR> | |||
Notes are based on [http://gentoo-wiki.com/HARDWARE_HUAWEI_E220_HSDPA_USB_MODEM gentoo] wiki<BR> | |||
To make this work, you will need 'libusb-dev', so you would need Alpine-1.7.21 (or later) | |||
== Initial checks == | |||
Doing some preparations before starting | |||
apk_add usbutils | |||
lsusb -v > /root/lsusb.org | |||
dmsesg > /root/dmesg.org | |||
ls -1 /dev > /root/ls.dev.org | |||
'''Note:''' This step might not be needed in the future (it's here while trying to figure out how this thing works) | |||
Lets check how the kernel is configured | |||
modprobe configs | |||
zcat /proc/config.gz | grep "CONFIG_USB_SERIAL_GENERIC=" | |||
zcat /proc/config.gz | grep "CONFIG_USB_SERIAL_OPTION=" | |||
zcat /proc/config.gz | grep "CONFIG_PPP=" | |||
zcat /proc/config.gz | grep "CONFIG_PPP_ASYNC=" | |||
As I understand, all above checks should result in '=m' values.<BR> | |||
If not, kernel should be recompiled.<BR> | |||
[http://gentoo-wiki.com/HARDWARE_HUAWEI_E220_HSDPA_USB_MODEM#Kernel Gentoo] wiki saids: "''The USB Generic Serial Driver should be disabled altogether.''".<BR> | |||
Might be CONFIG_USB_SERIAL_GENERIC should be '=y' (but I'm not sure about that) | |||
== Congigure modem == | |||
Now lets '''plug in the modem''' and do some checks | |||
lsusb -v > /root/lsusb.new | |||
diff /root/lsusb.org /root/lsusb.new > /root/lsusb.diff | |||
grep id /root/lsusb.diff | |||
apk_add libusb-dev | |||
modprobe usbserial vendor=0x12d1 product=0x1003 | |||
ls -1 /dev > /root/ls.dev.new | |||
diff /root/ls.dev.org /root/ls.dev.new | grep '^+' | |||
'''Note:''' At this moment I don't know howto make the above 'modprobe' action to be done automatically at next reboot. | |||
== Configure software == | |||
Install programs | |||
apk_add ppp | |||
mkdir -p /etc/ppp/peers | |||
=== Create configfiles === | |||
'''''/etc/ppp/peers/E220''''' | |||
/dev/ttyUSB0 | |||
460800 | |||
crtscts | |||
modem | |||
noauth | |||
usepeerdns | |||
defaultroute | |||
noipdefault | |||
debug | |||
noccp | |||
nobsdcomp | |||
novj | |||
user "irrelevant" | |||
password "irrelevant" | |||
connect '/usr/sbin/chat -f /etc/ppp/chat-E220-pin || /usr/sbin/chat -f /etc/ppp/chat-E220-nopin' | |||
'''''/etc/ppp/chat-E220-pin''''' | |||
ABORT BUSY | |||
ABORT ERROR | |||
ABORT 'NO CARRIER' | |||
REPORT CONNECT | |||
TIMEOUT 10 | |||
"" "ATZ" | |||
OK "AT+CPIN='''''pin'''''" | |||
OK AT+CGDCONT=1,"ip","'''''internet'''''" | |||
OK "ATE1V1&D2&C1S0=0+IFC=2,2" | |||
OK "AT+IPR=115200" | |||
OK "ATE1" | |||
TIMEOUT 60 | |||
"" "ATD*99***1#" | |||
CONNECT \c | |||
'''''/etc/ppp/chat-E220-nopin''''' | |||
ABORT BUSY | |||
ABORT ERROR | |||
ABORT 'NO CARRIER' | |||
REPORT CONNECT | |||
TIMEOUT 10 | |||
"" "ATZ" | |||
OK AT+CGDCONT=1,"ip","'''''internet'''''" | |||
OK "ATE1V1&D2&C1S0=0+IFC=2,2" | |||
OK "AT+IPR=115200" | |||
OK "ATE1" | |||
TIMEOUT 60 | |||
"" "ATD*99***1#" | |||
CONNECT \c | |||
'''Note:''' The above highlighted word(s) ''''''pin'''''' is the PIN of your card (typically a four digit code)<BR> | |||
'''Note:''' The above highlighted word(s) ''''''internet'''''' is the Access Point Name (APN) of the service you use (for instance mine is "web.omnitel.it"). If you don't know the Internet APN, ask your service provider.<BR> | |||
== Test connection == | |||
Start connection | |||
pon E220 | |||
Stop connection | |||
poff E220 | |||
Revision as of 12:16, 11 September 2008
Monitor traffic using Snort and bridged nics
Prepare
Hardware
Hardware used in this example:
- Computer with 1 nic
- Switch that handles vlan
- A computer that would be analyzed
Setup analyzer/snort box
Sets up standard settings - But skip nic-settings
setup-alpine
Sets up and start webconf
setup-webconf
Install needed packages
apk_add bridge-utils apk_add acf-snort
Because we will use vlan's in this example, we need to install vlan support
modprobe 8021q
Switch setup
We need to configure vlans on the ports
- Port X = Untagged=vlan1
- Port Y = Untagged=vlan1, Tagged=vlan2
- Port Z = Untagged=vlan2
Attach equipment into each port
- Port X = Gateway for the 'infected' box
- Port Y = Analyzer/Snort box
- Port Z = The 'infected' box
Configure
Configure bridge. /etc/conf.d/bridge would look like this:
BRIDGES="br0=eth0+eth0.2"
Add vlan2 to nic
vconfig add eth0 2
In our case we have a dhcp running on the system, so we configure br0 to get a lease (edit /etc/network/interfaces file)
auto br0 iface br0 inet dhcp
Start bridge
/etc/init.d/bridge start
Bring up bridge
ifup br0
Start snort
/etc/init.d/snort start
Use 'Huawei E220' HSDPA modem with Alpine
Note: Don't plug in the modem yet
Notes are based on gentoo wiki
To make this work, you will need 'libusb-dev', so you would need Alpine-1.7.21 (or later)
Initial checks
Doing some preparations before starting
apk_add usbutils lsusb -v > /root/lsusb.org dmsesg > /root/dmesg.org ls -1 /dev > /root/ls.dev.org
Note: This step might not be needed in the future (it's here while trying to figure out how this thing works)
Lets check how the kernel is configured
modprobe configs zcat /proc/config.gz | grep "CONFIG_USB_SERIAL_GENERIC=" zcat /proc/config.gz | grep "CONFIG_USB_SERIAL_OPTION=" zcat /proc/config.gz | grep "CONFIG_PPP=" zcat /proc/config.gz | grep "CONFIG_PPP_ASYNC="
As I understand, all above checks should result in '=m' values.
If not, kernel should be recompiled.
Gentoo wiki saids: "The USB Generic Serial Driver should be disabled altogether.".
Might be CONFIG_USB_SERIAL_GENERIC should be '=y' (but I'm not sure about that)
Congigure modem
Now lets plug in the modem and do some checks
lsusb -v > /root/lsusb.new diff /root/lsusb.org /root/lsusb.new > /root/lsusb.diff grep id /root/lsusb.diff
apk_add libusb-dev modprobe usbserial vendor=0x12d1 product=0x1003 ls -1 /dev > /root/ls.dev.new diff /root/ls.dev.org /root/ls.dev.new | grep '^+'
Note: At this moment I don't know howto make the above 'modprobe' action to be done automatically at next reboot.
Configure software
Install programs
apk_add ppp mkdir -p /etc/ppp/peers
Create configfiles
/etc/ppp/peers/E220
/dev/ttyUSB0 460800 crtscts modem noauth usepeerdns defaultroute noipdefault debug noccp nobsdcomp novj user "irrelevant" password "irrelevant" connect '/usr/sbin/chat -f /etc/ppp/chat-E220-pin || /usr/sbin/chat -f /etc/ppp/chat-E220-nopin'
/etc/ppp/chat-E220-pin
ABORT BUSY ABORT ERROR ABORT 'NO CARRIER' REPORT CONNECT TIMEOUT 10 "" "ATZ" OK "AT+CPIN=pin" OK AT+CGDCONT=1,"ip","internet" OK "ATE1V1&D2&C1S0=0+IFC=2,2" OK "AT+IPR=115200" OK "ATE1" TIMEOUT 60 "" "ATD*99***1#" CONNECT \c
/etc/ppp/chat-E220-nopin
ABORT BUSY ABORT ERROR ABORT 'NO CARRIER' REPORT CONNECT TIMEOUT 10 "" "ATZ" OK AT+CGDCONT=1,"ip","internet" OK "ATE1V1&D2&C1S0=0+IFC=2,2" OK "AT+IPR=115200" OK "ATE1" TIMEOUT 60 "" "ATD*99***1#" CONNECT \c
Note: The above highlighted word(s) 'pin' is the PIN of your card (typically a four digit code)
Note: The above highlighted word(s) 'internet' is the Access Point Name (APN) of the service you use (for instance mine is "web.omnitel.it"). If you don't know the Internet APN, ask your service provider.
Test connection
Start connection
pon E220
Stop connection
poff E220