Suricata HOME_NET config question (SPAN port) - security

As a project I have a physical firewall (IP: 10.0.0.2) with a SPAN port configured to a physical linux (CentOS 6) (IP: 10.0.0.3) on which I am running Suricata IDS.
Theoretically I should receive all the traffic to the box through an interface I called "span0". I can confirm this by running ifconfig and see traffic. So all good.
When running Suricata as follows: sudo suricata -c /etc/suricata/suricata.yaml -i span0 | I am not getting any errors. Also good.
The question here is how to configure the suricata.yaml file.
Should I have the HOME_NET on 10.0.0.2 or on 10.0.0.0/8?
Looking forward to hear your feedback, Jan (Honza) Novak

I am not a great IDS setup specialist, but I would suggest that the configuration depends on the network setup.
If the firewall simply broadcasts everything through itself, then you should choose 10.0.0.0/8 to protect the entire network. On the other hand, with this setting, events within the network may go unnoticed.
If NAT is configured, then I would suggest choosing 10.0.0.2 to track possible malicious activity both outside and inside the network.

Related

linking virtual machine as server and client

I have multiple virtual machine(vmware)(linux) but would like to make one as the server, meaning all the client who wants to access the internet, uses the server internet so, the server is able to view all the incoming and outgoing data packets.
Also, I would like to install another virtual machine to act as an IDS to track the server packet, if anything is wrong it is able to flag out.
Thanks for your help in advance
You can setup one Linux server as the gateway for the others. All you need is to create two virtual ethernet interfaces for it, one in bridged mode and other in virtual network mode.
One will be bridged with your actual network and act as the WAN, and the other will be act as a LAN gateway for others VM's.
So other VM's should use your server virtual network IP address as main gateway, and you can use tcpdump or wireshard or everything you like to sniff traffic forwarded.
One thing you need to configure on the server is IP forwarding option in sysctl, which is disabled by default:
net.ipv4.ip_forward = 1
You may find more relevant information here too.
Hope it will help you.

Find network interface that is communicating with gateway without using PING/ ICMP or UDP

I have a RHEL client machine which has to get data from the RHEL server machine at the time of booting up.
The IP address of the server is known.
The gateway which has to be used by the client machine is known.
The client machine has multiple network interfaces. All may not be up at the same time or all may be connected to different networks.
I need to determine which network interface has to be used.
I know that this can be easily done using the "ping" or "traceroute".
The issue is ICMP protocol is disabled both at the client end as well as the server end.
ICMP has been disabled due to security concerns.
ICMP may be disabled at machine level or it may be disabled for the whole network.
In otherword, I need to find a way that can give me if two ip's are communicating if ICMP is disabled.
Also, I have to use this result in my script, which I am writing in bash, to set the network of the client machine.
What is the best possible way to achieve this?
You can ping the ip with ARP try using arping command

Assigning a machine IP under linux

I have a machine with 3 interfaces, two public and one local. They are all from the same IP range. All externally accessible services on the machine use the internal IP.
However, when a process opens a connection to the outside world, the source address in the packets is set to that of the public interface which will be used to sends the packets out.
Is it possible under Linux to force all source addresses to be that of a particular interface, even if the packet then will be routed through an other interface?
Say we have a machine with 3 interfaces, A.B.C.1, A.B.C.2, A.B.C.3. Of these A.B.C.1 and A.B.C.2 are connected to the Internet (and A.B.C.0/24 is routed to them). All services on the machine listen to A.B.C.3. Is it possible to guarantee that all packets originating on the machine will have the source address of A.B.C.3, even if they will leave the machine via A.B.C.1 or A.B.C.2 ?
Specifying the source address when the socket for the outgoing connection is opened is not a solution; we're talking about existing programs which can not be changed. Also, it should work for ICMP as well.
Thanks.
This can be achieved with iptables:
sudo iptables -t nat -A OUTPUT -j SNAT --to A.B.C.3
If the iptables service is not running, it can be activated via the following command:
sudo service iptables restart

CentOS server: how to detect network status changes

I have setup a CentOS 6.4 server (minimal install) which is connected to network through an ethernet cable. The problem is that when the network link goes down, the status changes are not automatically detected but if i type "ifconfig" the interface still keeps its IP address (which is assigned by a DHCP server). After some time that the link is down the interface loses the address but when the link comes up again the network connection is not automatically restored like it would happen in a desktop computer. Even the command "dhclient eth0" does not always work to restore things, and I have to restart the whole network service with "/ect/init.d/network restart".
Is there any way to automatically detect network status changes like it happens in desktop installations? I'm thinking about a cron script that every 5 minutes pings a server outside my network and if it doesn't get any response it restarts network service, but this does not sound very efficient... is there another way?
EDIT: I realized I have not explained the situation correctly. My network topology is: server --> switch --> router --> external network (the router is another centos server with DHCPD).
For some reasons (that i'm not getting), when it happens that the router goes down and reboots, the other server becomes unreachable, and I have to manually restart network service on it. So the link does not effectively go down (the switch keeps it up), but the status change is at IP level.
You can check if you have NetworkManager enabled, I usually don't use it in the servers but it can help you in this case because it will monitor automatically the connections (it is quite common in desktop installations).
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-NetworkManager.html
To look for messages indicating an issue with the NIC just check the kernel ring buffer using the dmesg command.
For example when the cable is disconnected from a given interface this is what I get:
igb: eth1 NIC Link is Down
The first word will depend on the name of your network driver.
You could also configure the system to log these messages also to /var/log/messages (by default I am not sure if they appear there). Then it would be just a matter of monitoring the log, look for similar messages and restart the network service.
In any case the NetworkManager, if it is not already enabled, it should be an easier solution.
There is a module called miimon for monitoring the network interface's status. ethtool will give you the link status.
$ethtool eth0
...
Link detected: yes

xampp server (How to get up and running)

I've been developing locally on a little ubuntu netbook with xampp for about 7 months. Two weeks ago I got a computer I'd like to use as a server. I've installed the latest Ubuntu distribution and xampp, moved all my files over, and forwarded port 80. I've also got a domain name from dyndns.com which is being updated by a client which runs in my router (a Netgear WGR6154 v8).
Now, when I try to access my server by typing in the address I got from dyndns.com the browser loads until it timesout. I can access everything locally using localhost as the address so I believe xampp is running, just unable to connect with the internet.
In order to be able to view my files over the internet what should I do next?
Thanks to all in advance...
[I'm starting a bounty for the first person to help me get my files successfully online]
You have a combination of issues here, and that is something of a problem. Each issue is complex in an of itself. Here is what I would recommend to get you going for certain.
First verify that you can surf the web from your server. This will confirm that you have a working ethernet interface.
Step 1 make sure that XAMPP, and your files are viewable from your home network. I assume you are using something like 192.168.1.X for your network and perhaps your server is 192.168.1.10
Go to another computer in your house and type http://192.168.1.10/ and see if you can see your files. If you can then you know that the server is properly configured and XAMPP is working.
Then add an entry to your hosts file to resolve yourdnsrecord.com (or whatever your dyndns record is) to your private ip address. Then when you type yourdnsrecord.com into a browser from that computer you should still get your files. This will rule out your server being improperly configured to listen for that domain name.
Next you need to test to see if there is a firewall problem. To simplify this, first remove your home router from the equation. Instead, place your new server directly onto your internet connection. (assuming you can). This way, you do not need to have NAT or firewalls properly configured. Your dyndns name should map to a public IP and your server should then have that IP and be connected directly to the Internet. If you have your server directly connected, and the command ifconfig from the root prompt returns the same public IP address that your dynamic dns record is point to, then it should work.
It will make your life easier if you have an iphone or some other way to test how your network is seen from the Internet.
If your public IP as shown by ifconfig is different than the IP record in your dyndns account, then your dynamic dns update script is broken. manually set the IP, and see if things work.
It is very possible that this will not work. Some ISPs firewall port 80 preventing their subscribers from hosting servers. Once you have your server directly connected to the internet you can test this (even if your dns is not working) by using the public IP address. As root, type ifconfig from the command prompt to get your public ip address. Then type the command tcpdump -i eth? port 80 from the root prompt. eth? needs to be the same interface that you saw had a public IP address from the ifconfig command. usually this is eth0 but it might be wire0 or something like that.
This command will show you all traffic coming on port 80 to your server.
From an iphone (or whatever second Internet connection you have) browse to the IP address that you got from your ifconfig command. If you see something on your server (and it is directly connected to your ISP) then your ISP is not firewalling you.
If you can get to your server, when it is directly connected to the Internet, either by IP address or by DynDNS address, then your ISP is OK and it is time to debug your firewall.
Two things need to work for your firewall to be configured NAT, where the public address that your router gets from your ISP is converted into your private network and a firewall rule which permits that traffic. If you get this far, then you know your firewall is the problem and then it is just a matter of getting its configuration correct. There are far to many home routers to document here, but you usually can find how-to instructions for your router for this task from the manufacturers website (usually it is part of the manual)
If you follow these instructions exactly you will get your system working. Make comments on the process and I will be happy to modify this to make it clearer.
HTH,
-FT
You should make sure your xampp is not listening to only the localhost.
to do so edit your apache configuration file and check and search for Listen directive
you should be able to know also by analysing the output of netstat -a.
After that make sure your router is forwarding properly, using tcpdump would help.
drop me a comment if you need more help.
Cheers

Resources