Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Virtualbox IDS configuration

    General pfSense Questions
    2
    6
    409
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aish last edited by

      Hello everyone!

      I'm having a bit of trouble understanding how to get my lab setup working. Essentially, I have three virtual machines all on the same subnet:
      Victim Box - 192.168.56.2
      Attacker Box - 192.168.56. 3
      IDS System (AlienVault OSSIM in this case) - 192.168.56.100

      Essentially, what I'm trying to do is monitor the traffic between the victim and attacker box. With normal virtualbox host-only networking, I can't seem to figure out why the NIDS is not picking up scans from Attacker -> Victim. I thought a possible solution would be to use PFSense as the router/switch and mirroring all the traffic to the NIDS interface. I attempted to create a SPAN port of LAN, but I'm unsure how I can send that data to the NIDS interface. Given that it's all virtual, I can't simply plug in a cable like I'm used to doing.

      Has anyone configured something similar or would know how to go about setting this up?

      Thank you for your time

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        How does pfSense figure into this?  If everything is on the same subnet, no routing or firewall is involved - the clients talk directly to each other.

        1 Reply Last reply Reply Quote 0
        • A
          aish last edited by

          From my understanding, I need to mirror (or at least be able to sniff) all the traffic occurring on the subnet. I have my lab setup in a virtualbox host only network, and I can't get the IDS to monitor the network traffic. I was under the assumption this was a limitation of Virtualbox and I needed to configure the mirroring/sniffing manually. From what I was reading, Pfsense should be able to do this I believe.

          1 Reply Last reply Reply Quote 0
          • KOM
            KOM last edited by

            I can't get the IDS to monitor the network traffic.

            What IDS are you talking about?  Snort?  Suricata?

            An IDS can only see traffic crossing from one interface to another.  It's not going to see any inter-LAN traffic.

            1 Reply Last reply Reply Quote 0
            • A
              aish last edited by

              I'm using AlienVault OSSIM, which uses suricata.

              In PFSense, I was attempting to make a bridge and then SPAN the bridge. Would this work to see the interlan traffic?

              1 Reply Last reply Reply Quote 0
              • KOM
                KOM last edited by

                Probably not.  All your traffic is going to be within your switch but it depends on where you're putting these clients relative to your bridge.

                I don't know why you don't just create a fake WAN and LAN.  Make the WAN a bridged adapter on your LAN, and make the LAN an intnet interface.  Then put server on LAN and attacker on WAN.  Then you have pfSense acting as routing firewall between them.  You can use pfSense's Suricata package instead of needing a third system.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post