Tuesday, January 28, 2014

Configuring a bridged promisc interface in Security Onion

A few months ago I configured an all in one (server and sensor) Security Onion VM on my ESXi box.  It took a while, but I finally found a good box that I could use for a physical sensor.   I bought this Barracuda ethernet TAP back around 2007-9, and while it worked great, after I moved to my house, it has literally been collecting dust in my basement for years.  Lucky for me, it still works! 

This is a non aggregating TAP, which means I have two "output" cables coming from the TAP to my IDS.   On the physical server, I installed Security Onion as a sensor only, and the TAP interfaces ended up being eth0 and eth2 (eth1 is the mgmt. interface).

I quickly realized that I only knew how to bond two interfaces together on CentOS/RedHat.  It took a few hours of googling and trial and error, but I finally got eth0 and eth2 bonded/bridged together. 

Aside from the Security Onion install, and configuring the interfaces (as shows below), the only other thing I needed to do was to install the bridge-utils package.  Until I did that, even though my interfaces file was configured properly, the br0 interface would not come up.  

I don't want to lose the config that ended up working, so here is the final config for Ubuntu/Xubuntu:


seth@sensor-dell:~$ uname -a
Linux sensor-dell 3.2.0-58-generic #88-Ubuntu SMP Tue Dec 3 17:37:58 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux


seth@sensor-dell:~$ history | grep bridge-utils
   67  sudo apt-get install bridge-utils


seth@sensor-dell:~$ cat /etc/network/interfaces
# This configuration was created by the Security Onion setup script.  The original network
# interface configuration file was backed up to /etc/networking/interfaces.bak.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# loopback network interface
auto lo
iface lo inet loopback

# Management network interface
auto eth1
iface eth1 inet static
  address 192.168.0.202
  gateway 192.168.0.1
  netmask 255.255.255.0
  dns-nameservers 8.8.8.8 8.8.4.4

auto eth0
iface eth0 inet manual
  up ip link set eth0 promisc on arp off up
  down ip link set eth0 promisc off down
  post-up ethtool -G eth0 rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off; done
  post-up echo 1 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6

auto eth2
iface eth2 inet manual
  up ip link set eth2 promisc on arp off up
  down ip link set eth2 promisc off down
  post-up ethtool -G eth2 rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth2 $i off; done
  post-up echo 1 > /proc/sys/net/ipv6/conf/eth2/disable_ipv6

auto br0
iface br0 inet manual
  bridge_ports eth0 eth2
  up ip link set br0 promisc on arp off up
  down ip link set br0 promisc off down
  post-up ethtool -G br0 rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K br0 $i off; done
  post-up echo 1 > /proc/sys/net/ipv6/conf/br0/disable_ipv6

1 comment:

Gary Wright said...

This was super helpful.

Thanks for sharing!