Configuring a bridged promisc interface in Security Onion

-
A few months ago I configured an all in one (server and sensor) Security Onion VM on my ESXi box.  It took a while, but I finally found a good box that I could use for a physical sensor.   I bought this Barracuda ethernet TAP back around 2007-9, and while it worked great, after I moved to my house, it has literally been collecting dust in my basement for years.  Lucky for me, it still works! 

This is a non aggregating TAP, which means I have two "output" cables coming from the TAP to my IDS.   On the physical server, I installed Security Onion as a sensor only, and the TAP interfaces ended up being eth0 and eth2 (eth1 is the mgmt. interface).

I quickly realized that I only knew how to bond two interfaces together on CentOS/RedHat.  It took a few hours of googling and trial and error, but I finally got eth0 and eth2 bonded/bridged together. 

Aside from the Security Onion install, and configuring the interfaces (as shows below), the only other thing I needed to do was to install the bridge-utils package.  Until I did that, even though my interfaces file was configured properly, the br0 interface would not come up.  

I don't want to lose the config that ended up working, so here is the final config for Ubuntu/Xubuntu:


seth@sensor-dell:~$ uname -a
Linux sensor-dell 3.2.0-58-generic #88-Ubuntu SMP Tue Dec 3 17:37:58 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux


seth@sensor-dell:~$ history | grep bridge-utils
   67  sudo apt-get install bridge-utils


seth@sensor-dell:~$ cat /etc/network/interfaces
# This configuration was created by the Security Onion setup script.  The original network
# interface configuration file was backed up to /etc/networking/interfaces.bak.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# loopback network interface
auto lo
iface lo inet loopback

# Management network interface
auto eth1
iface eth1 inet static
  address 192.168.0.202
  gateway 192.168.0.1
  netmask 255.255.255.0
  dns-nameservers 8.8.8.8 8.8.4.4

auto eth0
iface eth0 inet manual
  up ip link set eth0 promisc on arp off up
  down ip link set eth0 promisc off down
  post-up ethtool -G eth0 rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off; done
  post-up echo 1 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6

auto eth2
iface eth2 inet manual
  up ip link set eth2 promisc on arp off up
  down ip link set eth2 promisc off down
  post-up ethtool -G eth2 rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth2 $i off; done
  post-up echo 1 > /proc/sys/net/ipv6/conf/eth2/disable_ipv6

auto br0
iface br0 inet manual
  bridge_ports eth0 eth2
  up ip link set br0 promisc on arp off up
  down ip link set br0 promisc off down
  post-up ethtool -G br0 rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K br0 $i off; done
  post-up echo 1 > /proc/sys/net/ipv6/conf/br0/disable_ipv6

Comments

Gary Wright said…
This was super helpful.

Thanks for sharing!
June 28, 2016 at 12:33 PM
Unknown said…
this was super helpful and am thankful for Wes from Security Onion Solutions for pointing me here. When I ifup the interface I see these errors:

kenneth@SOLAB:~$ sudo ifup br0

Waiting for br0 to get ready (MAXWAIT is 32 seconds).
ethtool: bad command line argument(s)
For more information run ethtool -h
Cannot change rx-checksumming
Cannot change large-receive-offload

Is there any reason for this? I saw this when I practiced it in a virtual machine and on a physical box
May 27, 2017 at 10:48 AM
Post a Comment

Popular posts from this blog

Exploiting Python Code Injection in Web Applications

-
Image
A web application vulnerable to Python code injection allows you to send Python code though the application to the Python interpreter on the target server. If you can execute python, you can likely call operating system commands. If you can run operating system commands, you can read/write files that you have access to, and potentially even launch a remote interactive shell (e.g., nc, Metasploit, Empire). The thing is, when I needed to exploit this on an external penetration test recently, I had a hard time finding information online about how to move from proof of concept (POC) to useful web application exploitation. Together with my colleague Charlie Worrell ( @decidedlygray ),  we were able to turn the Burp POC (sleep for 20 seconds) into a non interactive shell, which is what this post covers. Python code injection is a subset of server-side code injection, as this vulnerability can occur in many other languages (e.g., Perl and Ruby). In fact, for those of you who are CWE f...
Read more

Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)

-
Image
I recently came across a Server Side Request Forgery (SSRF) vulnerability within an application that I assessed.  The application was hosted on Amazon EC2 and was using Node.js, Express.js, and as I found out later, Needle.js. Discovery   Manual Discovery In the discovery phase, I noticed a function of the application that was taking a user specified URL and displaying the first paragraph from that URL into the page.  This application allowed a user to share a URL with their friends, and grabbing the first paragraph was a feature that would provide the friends with more context. The thing is, when looking at my Burp history, I could not find the request to the URL that I specified in my logs.  This should raise an eyebrow!   This means that the server is taking the URL I specified, making a request on my behalf, and then returning the result to me. That right there is SSRF .  Then, the only question was: What is the risk? Automated Discover...
Read more

Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them

-
Image
TL;DR There are a lot of great blogs out there that show you how to Kerberoast.  In this post, I'm going to walk through the process of setting up your lab so that you can practice this attack.  This involves creating a domain user and then mapping a SPN to that account. After that, I'll walk through using Empire to launch Invoke-Kerberoast, and I'll crack the hashes offline with Hashcat. Pentest Home Lab Recap If you don't already have an Active Directory lab and want to build one so that you can play along, check out my previous posts: Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain   Pentest Home Lab - 0x1 - Building Your AD Lab on AWS Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE The Attack: Kerberoasting Attack Goals Domain privesc & lateral movement.  If you have domain credentials and access to the domain, this is a relatively easy way to gain additional access within the domain. If all goes well, ...
Read more