Virtualbox IDS configuration



  • Hello everyone!

    I'm having a bit of trouble understanding how to get my lab setup working. Essentially, I have three virtual machines all on the same subnet:
    Victim Box - 192.168.56.2
    Attacker Box - 192.168.56. 3
    IDS System (AlienVault OSSIM in this case) - 192.168.56.100

    Essentially, what I'm trying to do is monitor the traffic between the victim and attacker box. With normal virtualbox host-only networking, I can't seem to figure out why the NIDS is not picking up scans from Attacker -> Victim. I thought a possible solution would be to use PFSense as the router/switch and mirroring all the traffic to the NIDS interface. I attempted to create a SPAN port of LAN, but I'm unsure how I can send that data to the NIDS interface. Given that it's all virtual, I can't simply plug in a cable like I'm used to doing.

    Has anyone configured something similar or would know how to go about setting this up?

    Thank you for your time



  • How does pfSense figure into this?  If everything is on the same subnet, no routing or firewall is involved - the clients talk directly to each other.



  • From my understanding, I need to mirror (or at least be able to sniff) all the traffic occurring on the subnet. I have my lab setup in a virtualbox host only network, and I can't get the IDS to monitor the network traffic. I was under the assumption this was a limitation of Virtualbox and I needed to configure the mirroring/sniffing manually. From what I was reading, Pfsense should be able to do this I believe.



  • I can't get the IDS to monitor the network traffic.

    What IDS are you talking about?  Snort?  Suricata?

    An IDS can only see traffic crossing from one interface to another.  It's not going to see any inter-LAN traffic.



  • I'm using AlienVault OSSIM, which uses suricata.

    In PFSense, I was attempting to make a bridge and then SPAN the bridge. Would this work to see the interlan traffic?



  • Probably not.  All your traffic is going to be within your switch but it depends on where you're putting these clients relative to your bridge.

    I don't know why you don't just create a fake WAN and LAN.  Make the WAN a bridged adapter on your LAN, and make the LAN an intnet interface.  Then put server on LAN and attacker on WAN.  Then you have pfSense acting as routing firewall between them.  You can use pfSense's Suricata package instead of needing a third system.