Cybex Posted June 3, 2013 Share Posted June 3, 2013 (edited) I was wondering if anyone knows how to build and configure a Linux system to sit inline on a SOHO network, to allow for PCAP archiving and security monitoring (ISD, AV, ETC...). I have an extra PC laying around (3GB RAM, 1TB Hard Drive, 4 GigE NIC's) and I would like to place it behind my FIOS router to dump the traffic and perform security analysis activities against it. I would prefer the system be invisible on the network (no ip address) and do it without the system being set up as the network gateway. I want to use the PC, no span ports/port mirrors and no network taps, hubs, etc... I found the following on The Shmoo Group, but there was no other information and I am trying to accomplish it with Linux not BSD. "FreeBSD can do very simple bridging without even assigning an IP to the interfaces you are bridging. Of course you'll have to run a sniffer like snort to make the sensor element complete. If you are using 3 interfaces (2 for the bridging and actual sniffing and 1 for sensor data output) you'd of course had to assign an IP to the 3rd interface (which would sit wisely on a separate IDS network). And with all the wonderful stealth IP kernel options it will be no trouble hiding the box." Thanks, Cy Edited June 3, 2013 by Cybex Quote Link to comment Share on other sites More sharing options...
digip Posted June 3, 2013 Share Posted June 3, 2013 Put something like monowall or one of the other firewall/IDS distros on the box(or can just use things like Snort and IPTables), install two nics, make it sit between the modem and the home router, and it will act as a firewall, IDS, packet filtering, squid proxy, DNS filter, can tcpdump traffic to logs and rotate them with cron jobs to save space every few days, etc. I'm not the guy to give instructions on how to set it up, since I consider myself a linux n00b, but I know the setups and tools, just not how to go about setting all of it up and scripting the jobs to do what you want, but pretty much any linux distro could be turned into this. pfsense I think comes with an all in one type setup as well for same easy home firewall/ids with email alert monitoring. I've just never had to set one up or use one myself. Quote Link to comment Share on other sites More sharing options...
newbi3 Posted June 3, 2013 Share Posted June 3, 2013 A friend of mine built a home IPS using ipfire, He has it sitting between his router and modem I personally haven't done it but he has and is able to do everything that you are wanting to do. Hope this helps. Quote Link to comment Share on other sites More sharing options...
Cybex Posted June 4, 2013 Author Share Posted June 4, 2013 Got it... I needed to create a transparent bridge. apt-get install bridge-utils apt-get install tcpdump brctl addbr br01brctl addif br01 eth0brctl addif br01 eth1ifconfig br01 upbrctl show tcpdump -i br01 -w dumpfile.pcap Thanks for the input but both suggestions missed this point about not wanting the solution to have an IP address. Both recommendations are firewall/router solutions and both are visible on the network. Thanks, Cy Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.