User:Mhavela

From Alpine Linux
Revision as of 15:14, 8 September 2008 by Mhavela (talk | contribs) (Notes on hotwo monitor a computer using snort and bridged nics)

Monitor traffic using Snort and bridged nics

Prepare

Hardware

Hardware used in this example:

  • Computer with 1 nic
  • Switch that handles vlan
  • A computer that would be analyzed

Setup analyzer/snort box

Sets up standard settings - But skip nic-settings 

 setup-alpine

Sets up and start webconf 

 setup-webconf

Install needed packages 

 apk_add bridge-utils
 apk_add acf-snort

Because we will use vlan's in this example, we need to install vlan support 

 modprobe 8021q

Switch setup

We need to configure vlans on the ports

  • Port X = Untagged=vlan1
  • Port Y = Untagged=vlan1, Tagged=vlan2
  • Port Z = Untagged=vlan2

Attach equipment into each port

  • Port X = Gateway for the 'infected' box
  • Port Y = Analyzer/Snort box
  • Port Z = The 'infected' box

Configure

Configure bridge. /etc/conf.d/bridge would look like this: 

 BRIDGES="br0=eth0+eth0.2"

Add vlan2 to nic 

 vconfig add eth0 2

In our case we have a dhcp running on the system, so we configure br0 to get a lease (edit /etc/network/interfaces file) 

 auto br0
 iface br0 inet dhcp

Start bridge 

 /etc/init.d/bridge start

Bring up bridge 

 ifup br0

Start snort 

 /etc/init.d/snort start
Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=User:Mhavela&oldid=2387"