Installing a NIDS with a passive Ethernet tap

IDS Install with Tap

I wanted to install a small network ids on my home network using Snort.  I wanted to stick the nids outside of my firewall, so it would be able to examine all Internet traffic coming in & out of the network.  Of course, putting a device online outside my firewall without any protection isn’t terribly attractive, so I decided to install using a tap.  Ignoring the fact that this is really the only possible configuration, given my home ISP (FiOS), it allows me to do a completely stealthed deployment of a nids.  Unfortunately, this type of deployment also precludes the ability to interact with any traffic seen on the wire, so flexresp is out of the question.

Construction of a passive tap

The other bad part about using a tap is that simply by the nature of the tap, you need to have 2 Ethernet ports to sniff on.  Why?  Check out the Snort docs on the subject.  When you setup a tap, you can only push one direction’s worth of traffic onto a single port.  This means you have to combine the traffic on the sniffing device.  Since you can only receive traffic and can’t send on these ports, you must have a third Ethernet port to connect to your internal network, or if you’ve got a larger network, a management LAN.

So, building your tap is pretty simple, when you’ve got the picture here on the right to work from.  Need the parts?  Head over to Home Depot and grab yourself the following parts:

1. A plastic electric box (get one marked for “Old Work”).  An 8 cubic inch box will probably not be deep enough, so go for the one of the 14 cubic inch ones.  Unscrew the little anchor flaps and toss them in the trash.
2. A 4-jack faceplate.  Whatever color you like.  I used white.
3. 4 Cat 5e Ethernet jacks.  I got 2 white and 2 blue.  The white jacks are the Host jacks, and the blue ones are Tap A & B, as shown in the figure at the right.
4. About 6 inches of Ethernet cable.

Strip off the jacket and remove the 8 wires.  Wire up the jacks as shown in the figure.  I found it easiest to wire up one of the host jacks, then run the wires through the tap jacks and finally up to the other host jack.  Try to keep the twists in the wire as much as possible, to prevent NEXT (Near End Crosstalk).  Cap off the jacks and screw the thing into the electric box.

I made two, one to use for the NIDS, and another to carry around for work if I need a tap.

I’m not going to go into how to install Snort, ACID, or any of that stuff.  There are already enough guides out there on that topic.  I will, however, address the need to join the two sniffing interfaces into a single full-duplex interface for Snort to sniff on.  You’ll be using the Linux kernel’s bonding module for this.  I’m going to assume Debian or Ubuntu here.  Add the bonding module to your /etc/modules file, then execute the command modprobe bonding.  In the /etc/network/interfaces file, you’ll need something like this:

auto bond0
iface bond0 inet manual
  up ifconfig $IFACE 0.0.0.0 up
  down ifconfig $IFACE down
  post-up ifenslave bond0 eth0 eth1
  pre-down ifenslave -d bond0 eth0 eth1

Obviously, you’ll need to configure Snort to sniff on the bond0 interface.  Don’t forget to install the ifenslave package.  It’s not installed by default on Ubuntu.

The biggest concern lots of tap novices have is accidentally introducing traffic onto the wire via the tap.  Let’s be clear.  This is simply impossible.  Can’t happen.  At all.  Why?  The only pins that are live on the tap ports are 3 and 6.  Guess what happens on those pins?  It’s only RX, not TX, so you can’t transmit on the tap ports.