Antsle Forum
Welcome to our Antsle community! This forum is to connect all Antsle users to post experiences, make user-generated content available for the entire community and more.
Please note: This forum is about discussing one specific issue at a time. No generalizations. No judgments. Please check the Forum Rules before posting. If you have specific questions about your Antsle and expect a response from our team directly, please continue to use the appropriate channels (email: [email protected]) so every inquiry is tracked.
Capturing traffic to br2 interface in promiscuous mode
Quote from 1sec on January 1, 2019, 7:35 pmI'm trying to set up an Intrusion Detection System using Security Onion, Bro, ELSA, and wireshark.
I have my internet connection external port spanned from a switch and trying to send the mirrored traffic to a VM on my antsle.
The VM is set to promiscuous mode, I also set the Antsle interfaces Br2 & enp0s20f2 to promiscuous mode by using the
CLI command ip link set Br2 promisc on. When i run ifconfig, it shows the ports in promiscuous mode.When i capture on the VM with interface Br2 (assigned to eth3 on my VM), i am only seeing broadcast traffic and nothing else. I should be seeing all traffic in wireshark, and it seems that promiscuous mode is not working through the antsle ports.
If i take the same cable and plug into my laptop, I am seeing all the traffic, so i know the traffic is there.
Any ideas why the antsle interface is not letting the traffic through as expected?? Any tips appreciated. Thank you and happy new year.
I'm trying to set up an Intrusion Detection System using Security Onion, Bro, ELSA, and wireshark.
I have my internet connection external port spanned from a switch and trying to send the mirrored traffic to a VM on my antsle.
The VM is set to promiscuous mode, I also set the Antsle interfaces Br2 & enp0s20f2 to promiscuous mode by using the
CLI command ip link set Br2 promisc on. When i run ifconfig, it shows the ports in promiscuous mode.
When i capture on the VM with interface Br2 (assigned to eth3 on my VM), i am only seeing broadcast traffic and nothing else. I should be seeing all traffic in wireshark, and it seems that promiscuous mode is not working through the antsle ports.
If i take the same cable and plug into my laptop, I am seeing all the traffic, so i know the traffic is there.
Any ideas why the antsle interface is not letting the traffic through as expected?? Any tips appreciated. Thank you and happy new year.
Quote from 1sec on January 3, 2019, 3:46 pmI got this working with a little help from Antsle Support (they have been awesome!!)
I'm not certain if i still need the commands i issued to turn on the promiscuous mode at the interface, but i am assuming so. [ip link set Br2 promisc on]. I left it for now but will try to remove it and see what happens later...
Here is how to enable the mode to capture all traffic from a monitor session:
For promiscuous mode you can install the bridge-utils. from the antsleOS command line run
emerge bridge-utilsThen set the ageing to 0 on the brX
brctl setageing br2 0
If its only temporary, this will hold until you reboot, otherwise,
To make it persistent you can add the following line to the 'net' configuration file in the antsleOS
bridge_ageing_time_br2="0"Open the 'net' file for editing
nano /etc/conf.d/netIn this example I am setting the ageing time on br2 and I add the line to the br2 section in the last line
#this info is already here: bridge_br2="enp0s20f2" config_enp0s20f2="null" config_br2="192.168.1.44 netmask 255.255.255.0" rc_net_br2_need="net.enp0s20f2" #add this line to use promiscuous mode after reboots. To disable just comment out the line: bridge_ageing_time_br1="0"Save and exit.
This should work for all antlets connected to that bridge.
I got this working with a little help from Antsle Support (they have been awesome!!)
I'm not certain if i still need the commands i issued to turn on the promiscuous mode at the interface, but i am assuming so. [ip link set Br2 promisc on]. I left it for now but will try to remove it and see what happens later...
Here is how to enable the mode to capture all traffic from a monitor session:
For promiscuous mode you can install the bridge-utils. from the antsleOS command line run
emerge bridge-utils
Then set the ageing to 0 on the brX
brctl setageing br2 0
If its only temporary, this will hold until you reboot, otherwise,
To make it persistent you can add the following line to the 'net' configuration file in the antsleOS
bridge_ageing_time_br2="0"
Open the 'net' file for editing
nano /etc/conf.d/net
In this example I am setting the ageing time on br2 and I add the line to the br2 section in the last line
#this info is already here: bridge_br2="enp0s20f2" config_enp0s20f2="null" config_br2="192.168.1.44 netmask 255.255.255.0" rc_net_br2_need="net.enp0s20f2" #add this line to use promiscuous mode after reboots. To disable just comment out the line: bridge_ageing_time_br1="0"
Save and exit.
This should work for all antlets connected to that bridge.
Quote from roliver15 on March 18, 2022, 6:50 am@ericblissmer-com do you have a write up of how you got Security Onion running on your antsle? I'm currently trying to set this up now and running into issues with the networking pieces to get it setup fully.
@ericblissmer-com do you have a write up of how you got Security Onion running on your antsle? I'm currently trying to set this up now and running into issues with the networking pieces to get it setup fully.
Quote from 1sec on March 18, 2022, 8:06 amI dont have any writeup on Security Onion, but i remember it being difficult to get everything set up and visible.
Most important thing is getting your antsle interface set up for promiscuous mode, so you can use the IDS. Then just a matter of following the security onion guides.
I didnt keep SO very long, i''m currently using Alienvault USM Anywhere. I've also tried OSSEC and liked it better than SO.
Maybe i'll try it again eventually, hopefully it is a little easier to work with now. Good luck!
I dont have any writeup on Security Onion, but i remember it being difficult to get everything set up and visible.
Most important thing is getting your antsle interface set up for promiscuous mode, so you can use the IDS. Then just a matter of following the security onion guides.
I didnt keep SO very long, i''m currently using Alienvault USM Anywhere. I've also tried OSSEC and liked it better than SO.
Maybe i'll try it again eventually, hopefully it is a little easier to work with now. Good luck!
Quote from roliver15 on March 18, 2022, 8:18 amYea I’m currently having issues just getting the management interface to use my bridged interface.
Tried setting up an additional NIC to use and antman didn’t like having two nics enabled and wouldn’t get a public ip. It’ll take some research and trial and error I’m sure.
Yea I’m currently having issues just getting the management interface to use my bridged interface.
Tried setting up an additional NIC to use and antman didn’t like having two nics enabled and wouldn’t get a public ip. It’ll take some research and trial and error I’m sure.
Quote from putridgrant on November 15, 2022, 7:05 pmI'm also having trouble using only the management interface to use my bridging interface.
I'm also having trouble using only the management interface to use my bridging interface.
Quote from nicklesa on January 16, 2023, 5:55 pmI did not maintain SO for very long, and at the moment I am working with Alienvault USM Anywhere. I also experimented with OSSEC, and overall, I preferred it over SO.
I did not maintain SO for very long, and at the moment I am working with Alienvault USM Anywhere. I also experimented with OSSEC, and overall, I preferred it over SO.