• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Virtualbox IDS configuration

Scheduled Pinned Locked Moved General pfSense Questions
6 Posts 2 Posters 969 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    aish
    last edited by Apr 20, 2018, 2:57 PM

    Hello everyone!

    I'm having a bit of trouble understanding how to get my lab setup working. Essentially, I have three virtual machines all on the same subnet:
    Victim Box - 192.168.56.2
    Attacker Box - 192.168.56. 3
    IDS System (AlienVault OSSIM in this case) - 192.168.56.100

    Essentially, what I'm trying to do is monitor the traffic between the victim and attacker box. With normal virtualbox host-only networking, I can't seem to figure out why the NIDS is not picking up scans from Attacker -> Victim. I thought a possible solution would be to use PFSense as the router/switch and mirroring all the traffic to the NIDS interface. I attempted to create a SPAN port of LAN, but I'm unsure how I can send that data to the NIDS interface. Given that it's all virtual, I can't simply plug in a cable like I'm used to doing.

    Has anyone configured something similar or would know how to go about setting this up?

    Thank you for your time

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Apr 20, 2018, 3:07 PM

      How does pfSense figure into this?  If everything is on the same subnet, no routing or firewall is involved - the clients talk directly to each other.

      1 Reply Last reply Reply Quote 0
      • A
        aish
        last edited by Apr 20, 2018, 3:11 PM

        From my understanding, I need to mirror (or at least be able to sniff) all the traffic occurring on the subnet. I have my lab setup in a virtualbox host only network, and I can't get the IDS to monitor the network traffic. I was under the assumption this was a limitation of Virtualbox and I needed to configure the mirroring/sniffing manually. From what I was reading, Pfsense should be able to do this I believe.

        1 Reply Last reply Reply Quote 0
        • K
          KOM
          last edited by Apr 20, 2018, 3:28 PM

          I can't get the IDS to monitor the network traffic.

          What IDS are you talking about?  Snort?  Suricata?

          An IDS can only see traffic crossing from one interface to another.  It's not going to see any inter-LAN traffic.

          1 Reply Last reply Reply Quote 0
          • A
            aish
            last edited by Apr 20, 2018, 3:33 PM

            I'm using AlienVault OSSIM, which uses suricata.

            In PFSense, I was attempting to make a bridge and then SPAN the bridge. Would this work to see the interlan traffic?

            1 Reply Last reply Reply Quote 0
            • K
              KOM
              last edited by Apr 20, 2018, 4:50 PM

              Probably not.  All your traffic is going to be within your switch but it depends on where you're putting these clients relative to your bridge.

              I don't know why you don't just create a fake WAN and LAN.  Make the WAN a bridged adapter on your LAN, and make the LAN an intnet interface.  Then put server on LAN and attacker on WAN.  Then you have pfSense acting as routing firewall between them.  You can use pfSense's Suricata package instead of needing a third system.

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received