Step 1: Add a new function to your snort.lua file
If you followed the updated Snort 3.0 Beta 3 Installation HOWTO, then the default snort.lua file is in /etc/snortsp/snort.lua. Open the file and add the following function:
function bridge (interface1, interface2)
if interface2 == nil then
error("Two interface strings must be specified ( e.g. bridge(\"eth0\", \"eth1\") )")
end
dsrc1 = {name="src1",
type="afpacket",
intf=interface1..":"..interface2,
flags=10,
snaplen=1514,
display="none",
tcp={maxflows=262144, maxidle=30, flow_memcap=10000000},
other={maxflows=131072, maxidle=30, flow_memcap=1000000},
cksum_mode=0x0,
}
dsrc.new(dsrc1)
eng.new({name="e1"})
eng.link({engine="e1", source="src1"})
eng.start("e1")
end
Step 2: Start SnortSP
Start SnortSP using the following command:
sudo snortsp -L /etc/snortsp/snort.luaSnortSP will start up and read your new snort.lua file. You will then be greeted by the SnortSP Lua shell.
Step 3: Use the bridge() function
In the Lua shell, type the following (replacing eth0 and eth1 with the correct interfaces on your system):
bridge("eth0", "eth1")
Once the bridge is up and running, you can do the following to display packets traversing the bridge:
eng.set_display({engine="e1", display="none"})
Press the Up arrow and change "none" to "classic".
View the output.
Press the Up arrow twice to retrieve the "none" command and press Enter.
When finished, shut down SnortSP by running the following command:
ssp.shutdown()
11 comments:
Hi,
just one question. Do I still have to configure the ethernet cards in ubuntu to act as a bridge?
=> https://help.ubuntu.com/community/NetworkConnectionBridge
No, you don't have to use brctl to configure bridging in the kernel. SnortSP performs the bridging for you.
Please let me know if you have any further questions.
Thanks,
Doug Burks
http://securityonion.blogspot.com
Well, I´m just asking myself how difficult it is to make my own bridge to filter traffic. Therefore I want to integrate some tools:
- Snort for IDS and IPS
- Sophos Antivirus (I have the license for it) for scanning all traffic
Is this possible so far? Have you tried something like that?
Since Snort 3.0 is still in Beta, it's not quite ready for prime time. For production usage, you'll want to stick with the most recent Snort 2.x version (currently 2.8.4.1). You'll then want to configure it for inline mode per the Snort Users Manual.
What kind of traffic do you want to scan using Sophos? If HTTP, then you'll probably want to hook it into an application-layer proxy such as Squid. For SMTP, you might want to hook it into Postfix using Amavisd.
Please let me know if you have any further questions.
Thanks,
Doug Burks
http://securityonion.blogspot.com
Hi doug i thank you you for help and dont mean to be a pest = but i really need some insight into getting this going. i have done the install of NSM and started it but i got that error at the end and also i after i lauch sguil.tk and login i do the testids and nothing comes up. i selected the proper network to monitor??
JTB,
As I said in response to your other post, I would recommend starting over and using the following command:
./NSMnow -i -y
Please let me know how it goes.
Thanks,
Doug Burks
I had some problems trying to run snort because of some permisions problems related to "libsutil.so.0 no such file". i fixed it by just copying /usr/local/lib/libsutil.so.0.0.0 to /lib/libsutil.so.0 im sure there would be a better way of doing it?
Thanks for all the help Doug it all seems to be up and working. I am very new to snort is it possible to get snort to run with that command when the system boots?
Thanks in advance!
Hello Anonymous,
If you're new to Snort, you do NOT want to be using Snort 3.0 (SnortSP). It is still in Beta and is not ready for production use. Please use the current 2.x version of Snort (2.8.5.3 as of this writing).
Regards,
Doug Burks
Hi,
I have installed security onion for the first time without changing the network adapter setting to bridge. So it showed only eth0 working. I did that for both ( server and sensor) as well as for sensor. But i could not find packet sniffing in the tools (snorby , squil).
So again i installed the Security Onion with setting network adapter as bridge and removing the floppy. But now my both (server and sensor) system is still showing only eth0 that too with no ip address with it.
Always it shows a message while i power on the machine:
"Network Adapter Bridge on device VMnet0 is temporarily down..... "
Kindly Help.
Thanx
Hi shruti,
Please make sure you are following our Installation guide:
https://code.google.com/p/security-onion/wiki/Installation
If you continue to have problems, please send a detailed email to our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Post a Comment