Security Onion ๐ง
Security Onion is a free and open-source Linux distribution designed for intrusion detection, network security monitoring, and log management. It provides a suite of tools for analyzing network traffic, including Snort and Suricata for intrusion detection, Zeek (formerly Bro) for network analysis, and Elasticsearch and Kibana for log management and visualization.
Security Onion is easy to install and can be deployed on proxmox. It offers a centralized platform for monitoring and managing security events on a network, making it a useful tool for security professionals and beginners alike who want to monitor and analyze their network traffic for potential security threats.
What is Promiscuous Mode ๐ค ?
Promiscuous mode is a feature in computer networking that allows a network interface controller (NIC)
to capture and analyze all network traffic that it receives, even if it was not intended for that NIC.
In other words, when a network card is in promiscuous mode, it listens to all traffic on the network segment it is connected to, rather than just the traffic addressed to its own MAC address. This allows it to capture and analyze data that would otherwise be ignored.
Promiscuous mode is commonly used for network troubleshooting, network security, and network monitoring purposes. It can help diagnose network problems by allowing administrators to see all the traffic on the network. It can also be used for security purposes, such as detecting network attacks or unauthorized access attempts. Lastly, it can be used for monitoring purposes, such as tracking network usage or analyzing network performance.
OVSwitch ๐ง
What is OpenVirtual Switch (OVS)
Open vSwitch (OVS) is a virtual switch that is used in virtualized server environments to connect virtual machines (VMs) to the physical network. It allows for flexible and efficient network configuration and management, with features such as VLAN tagging, network bonding, and load balancing.
You need to install OpenVrirtualSwith, net-tools
Before installing software make sure to edit repositories
Installing required software
apt update apt install openvswitch-switch net-tools reboot
How to find tap for port mirroring
- To find tap mirroring first you need to
create a vm with two network interfaces, one for management and one for mirroring. - Run this command
ip -bri athis will show all the bridges and tap interfaces
First check that LAN interface is mirror working or not
tcpdump -i eth1if every thing is fine you will see lots of data
Then tcpdump tap interface
tcpdump -i tap101i1
I found that mirroring tap usually start like tap then 101=vm_id the i1= interface 1 i0 is you lan interface and i1 is your mirror interface
Some of the key points vmbr10 is the name of bridge that was created with ovs tap101il is bridge that allow mirroring
This is bash shell script to mirror traffic from physical LAN port to security onion
save this file on root directory
touch sopro.sh
add these lines to script
nvim ./sopro.sh
#!/bin/dash
# seconiontap.sh
SECONIONLOG=/root/seconiontap.log
date >> $SECONIONLOG
echo "####################" >> $SECONIONLOG
echo "Clearing any existing mirror..." >> $SECONIONLOG
ovs-vsctl clear bridge vmbr10 mirrors
echo "Creating mirror on vmbr10 for Security Onion..." >> $SECONIONLOG
ovs-vsctl -- --id=@p get port tap101i1 \
-- --id=@m create mirror name=span1 select-all=true output-port=@p \
-- set bridge vmbr10 mirrors=@m >> $SECONIONLOG
echo "Showing existing mirrors..." >> $SECONIONLOG
ovs-vsctl list Mirror >> $SECONIONLOG
Make it executable
chmod +x sopro.sh
change the interface and tap according yours after everything is fine. then run the script ./sopro.sh
to run scripts after every three minutes
crontab -e
add these lines
*/3 * * * * /root/sopro.sh