HELLO_wORLD
Very Senior Member
Hello all,
As you may know if you read my recent posts in this forum, I was setting up an IDS system (Suricata), outside of the router (that is not strong enough to handle the IDS).
So what I needed to do was to send a copy of all the packets/frames I want to monitor to the IDS device.
I am skipping here the IDS system setup itself, and just precise that it has two ethernet interfaces: one for normal LAN interconnection, and the other strictly to receive the packets to process through the IDS.
Now, my first thought was naturally to simply use the port mirroring that the router offers (from the debug page). It works, but I noticed it impacted the performance of the router.
I found that not acceptable and decided to find another way.
After many trials, tests, experiments and all, I found what is working the best for me:
What is mirrored?
What is mirrored is all the IPv4 and IPv6 packets that are transiting through WAN, and reaching either the LAN (forwarded/routed packets), or the router itself (user space for local process), both ways.
Anything that is discarded by the firewall before it reaches either the router or the LAN is not mirrored (it can be set up differently, but I just want to see what made it through my firewall and is still a threat).
How is it mirrored?
Well, I use two techniques. The result of the two techniques are that the mirrored frames are identical to the original ones except the ethernet header on which the destination and source MAC are changed. I don't care about that as the IDS is working on the layers above ethernet.
First, to mirror the packets forwarded (LAN <-> WAN) by the router, and the ones going to the router itself (WAN -> router) I use iptables rules this way:
So here, I first create a chain (bolemo_ids) with 3 rules, the first one is to ignore packets marked with 0x01; the second to mark the packets with 0x01, and the third one to tee (mirror) the packets to the IDS device with the IP "IDS-IP"
Same can be done for IPv6:
Same exact thing but mirrored to the IPv6 link local of the IDS; "IDS-LL" (can also be the IPv6 global address if there is on set).
The big plus of this technique, is that first it uses the hardware acceleration (little to no impact on performances), and second it mirrors the routed packets from the FORWARD table, meaning the source or destination in the LAN is known (very useful for IDS monitoring to know which device is involved in sending or receiving a suspicious packet).
Now, we have this : LAN <-> WAN and WAN -> router
We are missing the WAN <- router
One could just add a rule in iptables and ip6tables in the OUTPUT chain to tee the packets…
That would work, but it would be missing any packets that would not go through iptables (in particular locally generated raw socket packets).
So my solution is to use tc this way:
So here, I first enable a few kernel modules (not all are natively available in the firmware, it requires for some of them to be compiled in it first).
Then I create a filter for the device ifb0 that first changes the MAC destination (on ether layer) for all the packets to the one of the IDS device (assuming here it is 00:11:22:33:44:55), then it redirect the packets to the interface ethlan (since the IDS is plugged on one of the LAN ports of the router).
And finally, I create a chain of filters for the interface ethwan (wan interface): any packets about to leave the router and 1) marked with 0x1 are ignored; 2) then any ARP packets are ignored; 3) then the remaining packets are marked with 0x1, then mirrored to ifb0.
And now, I do have this being mirrored: LAN <-> WAN and WAN <-> router, including raw socket packets
All with hardware acceleration, and information about LAN devices involved.
PS/EDIT: to come to that solution, I first asked questions in other threads, here: IP source and destination not in LAN or public ip… and here: Need help/advice with advanced networking interfaces needs
As you may know if you read my recent posts in this forum, I was setting up an IDS system (Suricata), outside of the router (that is not strong enough to handle the IDS).
So what I needed to do was to send a copy of all the packets/frames I want to monitor to the IDS device.
I am skipping here the IDS system setup itself, and just precise that it has two ethernet interfaces: one for normal LAN interconnection, and the other strictly to receive the packets to process through the IDS.
Now, my first thought was naturally to simply use the port mirroring that the router offers (from the debug page). It works, but I noticed it impacted the performance of the router.
I found that not acceptable and decided to find another way.
After many trials, tests, experiments and all, I found what is working the best for me:
What is mirrored?
What is mirrored is all the IPv4 and IPv6 packets that are transiting through WAN, and reaching either the LAN (forwarded/routed packets), or the router itself (user space for local process), both ways.
Anything that is discarded by the firewall before it reaches either the router or the LAN is not mirrored (it can be set up differently, but I just want to see what made it through my firewall and is still a threat).
How is it mirrored?
Well, I use two techniques. The result of the two techniques are that the mirrored frames are identical to the original ones except the ethernet header on which the destination and source MAC are changed. I don't care about that as the IDS is working on the layers above ethernet.
First, to mirror the packets forwarded (LAN <-> WAN) by the router, and the ones going to the router itself (WAN -> router) I use iptables rules this way:
Code:
/usr/sbin/iptables -t filter -w -N bolemo_ids
/usr/sbin/iptables -t filter -w -A bolemo_ids -m mark --mark 0x01 -j RETURN
/usr/sbin/iptables -t filter -w -A bolemo_ids -j MARK --set-mark 0x01
/usr/sbin/iptables -t filter -w -A bolemo_ids -j TEE --gateway IDS-IP
/usr/sbin/iptables -t filter -w -I FORWARD -o brwan -j bolemo_ids
/usr/sbin/iptables -t filter -w -I FORWARD -i brwan -j bolemo_ids
/usr/sbin/iptables -t filter -w -I INPUT -i brwan -j bolemo_idsSame can be done for IPv6:
Code:
/usr/sbin/ip6tables -t filter -w -N bolemo_ids
/usr/sbin/ip6tables -t filter -w -A bolemo_ids -m mark --mark 0x01 -j RETURN
/usr/sbin/ip6tables -t filter -w -A bolemo_ids -j MARK --set-mark 0x01
/usr/sbin/ip6tables -t filter -w -A bolemo_ids -j TEE --gateway IDS-LL
/usr/sbin/ip6tables -t filter -w -I FORWARD -o brwan -j bolemo_ids
/usr/sbin/ip6tables -t filter -w -I FORWARD -i brwan -j bolemo_ids
/usr/sbin/ip6tables -t filter -w -I INPUT -i brwan -j bolemo_idsThe big plus of this technique, is that first it uses the hardware acceleration (little to no impact on performances), and second it mirrors the routed packets from the FORWARD table, meaning the source or destination in the LAN is known (very useful for IDS monitoring to know which device is involved in sending or receiving a suspicious packet).
Now, we have this : LAN <-> WAN and WAN -> router
We are missing the WAN <- router
One could just add a rule in iptables and ip6tables in the OUTPUT chain to tee the packets…
That would work, but it would be missing any packets that would not go through iptables (in particular locally generated raw socket packets).
So my solution is to use tc this way:
Code:
/sbin/insmod /lib/modules/3.4.103/act_pedit.ko
/sbin/insmod /lib/modules/3.4.103/act_skbedit.ko
/sbin/insmod /lib/modules/3.4.103/act_mirred.ko
/sbin/insmod /lib/modules/3.4.103/act_gact.ko
/sbin/insmod /lib/modules/3.4.103/cls_u32.ko
/usr/sbin/tc qdisc add dev ifb0 handle 1: root prio
/usr/sbin/tc filter add dev ifb0 parent 1: prio 2 protocol all u32 match u32 0 0 \
action pedit munge offset -14 u16 set 0x0011 munge offset -12 u16 set 0x2233 munge offset -10 u16 set 0x4455 pipe \
action mirred egress redirect dev ethlan
/usr/sbin/ip l s dev ifb0 up
/usr/sbin/tc qdisc add dev ethwan handle 1: root prio
/usr/sbin/tc filter add dev ethwan parent 1: prio 1 protocol all u32 match mark 0x1 0xFFF action pass
/usr/sbin/tc filter add dev ethwan parent 1: prio 2 protocol arp u32 match u32 0 0 action pass
/usr/sbin/tc filter add dev ethwan parent 1: prio 3 protocol all u32 match u32 0 0 action skbedit mark 0x1 pipe action mirred egress mirror dev ifb0Then I create a filter for the device ifb0 that first changes the MAC destination (on ether layer) for all the packets to the one of the IDS device (assuming here it is 00:11:22:33:44:55), then it redirect the packets to the interface ethlan (since the IDS is plugged on one of the LAN ports of the router).
And finally, I create a chain of filters for the interface ethwan (wan interface): any packets about to leave the router and 1) marked with 0x1 are ignored; 2) then any ARP packets are ignored; 3) then the remaining packets are marked with 0x1, then mirrored to ifb0.
And now, I do have this being mirrored: LAN <-> WAN and WAN <-> router, including raw socket packets
All with hardware acceleration, and information about LAN devices involved.
PS/EDIT: to come to that solution, I first asked questions in other threads, here: IP source and destination not in LAN or public ip… and here: Need help/advice with advanced networking interfaces needs
Last edited:
