Antsle Forum

Welcome to our Antsle community! This forum is to connect all Antsle users to post experiences, make user-generated content available for the entire community and more. 

Please note: This forum is about discussing one specific issue at a time. No generalizations. No judgments. Please check the Forum Rules before posting. If you have specific questions about your Antsle and expect a response from our team directly, please continue to use the appropriate channels (email: [email protected]) so every inquiry is tracked. 

Please or Register to create posts and topics.

Running snort IDS in in antlet

I'm looking at running the snort IDS in an antlet. This in itself is simple enough; I have it running successfully in an Debian LXC container, and it works perfectly, processing the packets which arrive on the bridged br0/eth0 port.

What I want to do, though, is get it listening to all the network traffic, via a monitor port on my switch plugged into br2, but I'm not sure how I should configure br2 for this, inasmuch as the monitor port is on the same network as br0. Giving it a static on the same subnet causes the expected routing snafu, and while ordinarily I'd configure the interface connected to the monitor port as up without an IP address, this isn't an option in antMan, and I'm not sure if that would work properly with an LXC container anyway.

Has anyone else got this sort of thing working and could drop me a pointer or two?

Thanks,

Alistair Young

 

Hi Alistair, just saw your post. I've been trying to get an IDS working by spanning a port from my external switch to br2 using Ubuntu VM.

I manually set the BR2 port for promiscuous mode, however i've not been able to get the spanned traffic to show up inside an antlet.  Seems something in the ports wont forward the traffic, it only shows broadcast traffic.

I'm curious if you got this working or made any progress with it?  If i can't get this to work with spanned traffic it really cuts down what it can do for me, so i hope its just a config thing.

Oh, and i got BR2 plugged into my cisco monitor dest port, with no DHCP.  I set it to DHCP, and it pulls the APIPA 169. address.  Technically with promiscuous mode, it should not matter even if you leave a static on it.  Also there is a warning saying if you set DHCP, make sure its gonna get a DHCP or bad things will happen-- guess i got lucky on that one anyway.

 

good luck -

eric.

following up, got this working.  copying reply from my original post--

For promiscuous mode you can install the bridge-utils. from the antsleOS command line run

emerge bridge-utils
Then set the ageing to 0 on the brX

brctl setageing br1 0
To make it persistent you can add the following line to the 'net' configuration file in the antsleOS

bridge_ageing_time_br1="0"
Open the 'net' file for editing

nano /etc/conf.d/net
In this example I am setting the ageing time on br1 and I add the line to the br1 section in the last line

bridge_br1="enp0s20f1"

config_enp0s20f1="null"
config_br1="192.168.1.44 netmask 255.255.255.0"

rc_net_br1_need="net.enp0s20f1"

bridge_ageing_time_br1="0"
Save and exit.

This should work for all antlets connected to that bridge.