Jump to content

Invisible Network Monitoring Sensor


Cybex
 Share

Recommended Posts

I was wondering if anyone knows how to build and configure a Linux system to sit inline on a SOHO network, to allow for PCAP archiving and security monitoring (ISD, AV, ETC...). I have an extra PC laying around (3GB RAM, 1TB Hard Drive, 4 GigE NIC's) and I would like to place it behind my FIOS router to dump the traffic and perform security analysis activities against it. I would prefer the system be invisible on the network (no ip address) and do it without the system being set up as the network gateway. I want to use the PC, no span ports/port mirrors and no network taps, hubs, etc...

I found the following on The Shmoo Group, but there was no other information and I am trying to accomplish it with Linux not BSD.

"FreeBSD can do very simple bridging without even assigning an IP to the interfaces you are bridging. Of course you'll have to run a sniffer like snort to make the sensor element complete. If you are using 3 interfaces (2 for the bridging and actual sniffing and 1 for sensor data output) you'd of course had to assign an IP to the 3rd interface (which would sit wisely on a separate IDS network). And with all the wonderful stealth IP kernel options it will be no trouble hiding the box."

Thanks,

Cy

Edited by Cybex
Link to comment
Share on other sites

Put something like monowall or one of the other firewall/IDS distros on the box(or can just use things like Snort and IPTables), install two nics, make it sit between the modem and the home router, and it will act as a firewall, IDS, packet filtering, squid proxy, DNS filter, can tcpdump traffic to logs and rotate them with cron jobs to save space every few days, etc. I'm not the guy to give instructions on how to set it up, since I consider myself a linux n00b, but I know the setups and tools, just not how to go about setting all of it up and scripting the jobs to do what you want, but pretty much any linux distro could be turned into this. pfsense I think comes with an all in one type setup as well for same easy home firewall/ids with email alert monitoring. I've just never had to set one up or use one myself.

Link to comment
Share on other sites

A friend of mine built a home IPS using ipfire, He has it sitting between his router and modem I personally haven't done it but he has and is able to do everything that you are wanting to do. Hope this helps.

Link to comment
Share on other sites

Got it... I needed to create a transparent bridge.

apt-get install bridge-utils

apt-get install tcpdump

brctl addbr br01
brctl addif br01 eth0
brctl addif br01 eth1
ifconfig br01 up
brctl show

tcpdump -i br01 -w dumpfile.pcap

Thanks for the input but both suggestions missed this point about not wanting the solution to have an IP address. Both recommendations are firewall/router solutions and both are visible on the network.

Thanks,

Cy

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...