Mirroring network traffic
-
Is there a way to mirror incoming and outgoing network traffic to a specific IP/interface for analysis using an network monitoring system? If yes, is it possible to only forward specific traffic/ports and/or forward everything and ignore specific traffic/ports?
-
You can do that with a switch that supports port mirroring or spanning…
Like this one :
http://routerboard.com/RB260GS
and use a package called Security Onion which has all the tools you need already customized into one easy to use package (Well not really easy but all the packages are pre-installed in an ISO so you can get at an implementation fairly quickly :) )
https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion
http://blog.securityonion.net/p/securityonion.html
-
That was actually my plan! :)
I was planning to mirror all my traffic into an SO server. The only thing that I'd like to be able to do is to note keep certain traffic (I move a lot of files to and from FTP servers, so I'd like to set up their IPs as ignored). Is that possible with that switch or is that something specific you have to do in pfSense?
-
You don't need to do that in the Switch… Security Onion has BPF which you can configure what traffic to skip…
BPF FAQ:
https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF
SO Google Group:
https://groups.google.com/forum/#!forum/security-onion -
You might actually want to do that at the switch to reduce the hardware requirements of Security Onion. The more data you anticipate pushing through it, the more your machine requirements go up.
There is a section in the MikroTik where you can create ACLs. Unfortunately, there's no easy way to prune just ftp traffic from being mirrored.
http://wiki.mikrotik.com/wiki/SwOS#ACL_Tab
-
True, But if the LAN device is FTPing to another box on the LAN then it never hits pfSense and its not going to get mirrored to SO…
The nice thing about SO is that it can be setup in a distributed format in a Network... I have it currently monitoring pfSense LAN, MS AD Server, and MS File/Print Servers at different locations all tied together into one Master SO Server. :)