User:Mhavela

From Alpine Linux
Revision as of 07:35, 12 September 2008 by Mhavela (talk | contribs) (Moved notes on HSDPA to separate page)

Monitor traffic using Snort and bridged nics

Prepare

Hardware

Hardware used in this example:

  • Computer with 1 nic
  • Switch that handles vlan
  • A computer that would be analyzed

Setup analyzer/snort box

Sets up standard settings - But skip nic-settings 

setup-alpine

Sets up and start webconf 

setup-webconf

Install needed packages 

apk_add bridge-utils
apk_add acf-snort

Because we will use vlan's in this example, we need to install vlan support 

modprobe 8021q

Switch setup

We need to configure vlans on the ports

  • Port X = Untagged=vlan1
  • Port Y = Untagged=vlan1, Tagged=vlan2
  • Port Z = Untagged=vlan2

Attach equipment into each port

  • Port X = Gateway for the 'infected' box
  • Port Y = Analyzer/Snort box
  • Port Z = The 'infected' box

Configure

Configure bridge. /etc/conf.d/bridge would look like this: 

BRIDGES="br0=eth0+eth0.2"

Add vlan2 to nic 

vconfig add eth0 2

In our case we have a dhcp running on the system, so we configure br0 to get a lease (edit /etc/network/interfaces file) 

auto br0
iface br0 inet dhcp

Start bridge 

/etc/init.d/bridge start

Bring up bridge 

ifup br0

Start snort 

/etc/init.d/snort start
Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=User:Mhavela&oldid=2397"