Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtualbox IDS configuration

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 968 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aish
      last edited by

      Hello everyone!

      I'm having a bit of trouble understanding how to get my lab setup working. Essentially, I have three virtual machines all on the same subnet:
      Victim Box - 192.168.56.2
      Attacker Box - 192.168.56. 3
      IDS System (AlienVault OSSIM in this case) - 192.168.56.100

      Essentially, what I'm trying to do is monitor the traffic between the victim and attacker box. With normal virtualbox host-only networking, I can't seem to figure out why the NIDS is not picking up scans from Attacker -> Victim. I thought a possible solution would be to use PFSense as the router/switch and mirroring all the traffic to the NIDS interface. I attempted to create a SPAN port of LAN, but I'm unsure how I can send that data to the NIDS interface. Given that it's all virtual, I can't simply plug in a cable like I'm used to doing.

      Has anyone configured something similar or would know how to go about setting this up?

      Thank you for your time

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        How does pfSense figure into this?  If everything is on the same subnet, no routing or firewall is involved - the clients talk directly to each other.

        1 Reply Last reply Reply Quote 0
        • A
          aish
          last edited by

          From my understanding, I need to mirror (or at least be able to sniff) all the traffic occurring on the subnet. I have my lab setup in a virtualbox host only network, and I can't get the IDS to monitor the network traffic. I was under the assumption this was a limitation of Virtualbox and I needed to configure the mirroring/sniffing manually. From what I was reading, Pfsense should be able to do this I believe.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            I can't get the IDS to monitor the network traffic.

            What IDS are you talking about?  Snort?  Suricata?

            An IDS can only see traffic crossing from one interface to another.  It's not going to see any inter-LAN traffic.

            1 Reply Last reply Reply Quote 0
            • A
              aish
              last edited by

              I'm using AlienVault OSSIM, which uses suricata.

              In PFSense, I was attempting to make a bridge and then SPAN the bridge. Would this work to see the interlan traffic?

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Probably not.  All your traffic is going to be within your switch but it depends on where you're putting these clients relative to your bridge.

                I don't know why you don't just create a fake WAN and LAN.  Make the WAN a bridged adapter on your LAN, and make the LAN an intnet interface.  Then put server on LAN and attacker on WAN.  Then you have pfSense acting as routing firewall between them.  You can use pfSense's Suricata package instead of needing a third system.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.