IDS Install with Tap
I wanted to install a small network ids on my home network using Snort. I wanted to stick the nids outside of my firewall, so it would be able to examine all Internet traffic coming in & out of the network. Of course, putting a device online outside my firewall without any protection isn’t terribly attractive, so I decided to install using a tap. Ignoring the fact that this is really the only possible configuration, given my home ISP (FiOS), it allows me to do a completely stealthed deployment of a nids. Unfortunately, this type of deployment also precludes the ability to interact with any traffic seen on the wire, so flexresp is out of the question.
Construction of a passive tap
The other bad part about using a tap is that simply by the nature of the tap, you need to have 2 Ethernet ports to sniff on. Why? Check out the Snort docs on the subject. When you setup a tap, you can only push one direction’s worth of traffic onto a single port. This means you have to combine the traffic on the sniffing device. Since you can only receive traffic and can’t send on these ports, you must have a third Ethernet port to connect to your internal network, or if you’ve got a larger network, a management LAN.
So, building your tap is pretty simple, when you’ve got the picture here on the right to work from. Need the parts? Head over to Home Depot and grab yourself the following parts:
- A plastic electric box (get one marked for “Old Work”). An 8 cubic inch box will probably not be deep enough, so go for the one of the 14 cubic inch ones. Unscrew the little anchor flaps and toss them in the trash.
- A 4-jack faceplate. Whatever color you like. I used white.
- 4 Cat 5e Ethernet jacks. I got 2 white and 2 blue. The white jacks are the Host jacks, and the blue ones are Tap A & B, as shown in the figure at the right.
- About 6 inches of Ethernet cable.
Strip off the jacket and remove the 8 wires. Wire up the jacks as shown in the figure. I found it easiest to wire up one of the host jacks, then run the wires through the tap jacks and finally up to the other host jack. Try to keep the twists in the wire as much as possible, to prevent NEXT (Near End Crosstalk). Cap off the jacks and screw the thing into the electric box.
I made two, one to use for the NIDS, and another to carry around for work if I need a tap.
I’m not going to go into how to install Snort, ACID, or any of that stuff. There are already enough guides out there on that topic. I will, however, address the need to join the two sniffing interfaces into a single full-duplex interface for Snort to sniff on. You’ll be using the Linux kernel’s bonding module for this. I’m going to assume Debian or Ubuntu here. Add the bonding module to your /etc/modules file, then execute the command modprobe bonding. In the /etc/network/interfaces file, you’ll need something like this:
auto bond0 iface bond0 inet manual up ifconfig $IFACE 0.0.0.0 up down ifconfig $IFACE down post-up ifenslave bond0 eth0 eth1 pre-down ifenslave -d bond0 eth0 eth1
Obviously, you’ll need to configure Snort to sniff on the bond0 interface. Don’t forget to install the ifenslave package. It’s not installed by default on Ubuntu.
The biggest concern lots of tap novices have is accidentally introducing traffic onto the wire via the tap. Let’s be clear. This is simply impossible. Can’t happen. At all. Why? The only pins that are live on the tap ports are 3 and 6. Guess what happens on those pins? It’s only RX, not TX, so you can’t transmit on the tap ports.
So, I’m in Virginia until tomorrow for training. Alex thought it would be fun to send his stuffed Curious George with me, and so I’ve been sending pictures.
After a big day with me, Monkey decided to relax a bit.
Monkey, relaxing in a chair.
After getting a bit of rest, Monkey decided to send off a few emails.
Monkey sending out some emails
Next, Monkey finally figure out he was hungry, so he cooked some dinner.
Monkey got hungry.
After dinner, Monkey was thirsty, so he had a drink too.
And he's thirsty too.
At the end of such a big day, Monkey went off to bed.
Monkey, hitting the sack.
Thanks to Matt Ralph for pointing this one out.
Bookmarklets
Bookmarklets rock. They’re great timesavers, and a worthy addition to your browser’s bookmark bar.
So, what’s a bookmarklet? In short, a bookmark, typically constructed with JavaScript that does a specific task. For example, emailing some data via your favorite webmail provider, or checking Bugmenot for a login to a site you don’t really want to register for, or generating a shorter URL for a site. Here are the ones I keep around. Hopefully you’ll use some of them. To grab them, mouse over the link and drag to your browser’s bookmark bar. I recommend you make a folder on your bookmark bar and toss your bookmarklets in that folder (that’s what I do).
Here’s the breakdown of my favorite bookmarklets…
Google Services
Google This: Select some text on a page, click the bookmarlet, blammo – you’ve got a Google search for the selected text.
Google Images: Select some text on a page, click the bookmarlet and you’ve got a Google Image search for the selected text.
GAppMail This: Send the selected text via Google Apps for Your Domain Mail. You’ll need to edit this one to change out yourdomain.com for what your domain name actually is.
Gmail This: Send the selected text via Gmail.
Google Cache: Pull up the Google Cache version of the currently loaded page.
Google Map This: Select an address, get a Google map of it.
Geocode: Get the Latitude & Longitude for the center of a Google map.
Google Translate: Translate the currently loaded page into English
Web Development
Show Divs: Show the <div> areas on the currently loaded page.
ReCSS: Reload CSS for the currently loaded page.
W3C HTML Validator: Run the currently loaded page through the W3C’s HTML Validator.
W3C CSS Validator: Run the currently loaded page’s CSS through the W3C’s CSS Validator.
References
Acronym Lookup: Lookup an acronym in the Internet Acronym Database
Urban Dictionary Lookup: Lookup a selected word in the Urban Dictionary.
Social Networking
Del.icio.us Linkbacks: Show del.icio.us links to the current page.
Compulsory Login Bypass
BugMeNot: Lookup usernames & passwords for various sites.
URL Shorteners
DiggBar: Uses the new DiggBar for URL shortening.
Cli.gs: Uses the Cli.gs shortening service.
It’s MacHeist time again. Big bundle of Mac apps, low price, lots of charitable contributions from the guys running the thing.
Go have a peek. It’s definitely worth a look. If you use 2 of the apps, it’s a worthwhile deal.
For years now, I’ve been kidding myself, hiding behind my secret envy of Steve Ballmer and Bill Gates, opting to use Macs & Linux at home, as well as Symbian-based mobile phones. I just can’t stand living the lie any longer.
I am a PC!
I’m reformatting our Macs at home, and they will henceforth run nothing but Windows Vista. Ultimate 64-bit, of course. No Boot Camp, VMware Fusion or Parallels. Just Windows Vista. The sheer beauty of the Vista desktop, laden with all of those oh-so-cool gadgets, the Aero Glass look, and the Control Panel, oh, the sheer bliss of it all! So what if I’ll need to run full-time anti-virus and anti-spyware apps to protect us and our data? Honey, I’m home.
And the server, what a colossal mistake it was running Ubuntu’s Intrepid Ibex 64-bit release on there. What on earth was I thinking??? All of that idle CPU time just going to waste doing nothing. Why, by installing Windows Server 2008 on the system, I can give that CPU an actual workout. You know what they say about muscles that go unused.. I figure the same thing applies to the CPU’s power starting to atrophy from lack of use. So what if I run my phone system out of Asterisk, and have a VPN server that runs in a VMware Server instance? Again, I’ll have the blissful joy of Windows at my disposal.
And the phones. We’ve suffered for too many years with S60 devices. Back when I worked at Nokia, I didn’t have an excuse, but now I can finally break free after all these years! By moving to Windows Mobile devices, I can now take the nirvana that one can only experience with that stunningly gorgeous Blue Screen of Death out and about with me, right in my pocket. That BSOD is so invigorating, I think we should change it to the BSOL, Blue Screen of Life!
˙looɟ lıɹdɐ ¡ʇɥƃıɹ ɥɐǝʎ
We’re spending a quiet evening at home tonight, watching stuff on the Science Channel. During a commercial break from a very interesting show about the ice hotel that gets built annually in Sweden, we saw a commercial for a new show coming to Animal Planet entitled “River Monsters”. The gist? It’s a guy who’s dubbed as “an extreme angler”, which I think roughly translates as “fishes with a harpoon gun nearby”, who goes after really big, nasty fish. Sort of like Bassmasters, but with the chance of the host being ripped to shreds by some sort of ferocious water creature.
As time marches on, it seems that viewers require more & more shocking content in order to hold their interest. What will be required in 5 or 10 years to draw in viewers? How about ice hockey, but where the players have nitroglycerin strapped to their bodies? How far are we away from The Running Man?
I’ve lost count of how many trips I’ve taken on the Acela Express. 99% of the time, it’s been heading south to DC. But on those rare occasions that I take it to head north, it’s always incredibly frustrating.
The state of Connecticut seems to be the land of a thousand dead spots. I’m forever dropping calls, my laptop’s 3G connection doesn’t stay up for the whole trip either. Going south, the only spot I lose signal totally is the tunnel you pass through at Baltimore. Being underground, this is not unexpected.
But on a clear, sunny day, riding the rails through Connecticut, it is a big ball of suck.
If you haven’t heard about the global credit crisis, you’ve probably spent the better part of the past year under a rock. Watch these videos from Jon Jarvis. They explain in pretty simple terms, plain english even, how we got to where we are. He really knocks it out of the park here.
I dare you.
Explain this.
