March 23, 2009 at 14:33Organization of traffic collection from a Linux server for subsequent analysis
Objective: To organize the removal of traffic from the server and its transmission over the network to another server for subsequent analysis. In the simplest case, Linux OS implements Cisco SPAN switches. A similar problem arises if we want to analyze the content not on an existing server, but on a dedicated server for analysis. In the simplest case, we implement the circuit shown in the figure.
In this scheme, we check all user traffic passing through the gateway. An intrusion detection system such as Snorm can be used for analysis.
To implement such a scheme, you need a kernelspace module for netfilter ipt_ROUTE and support for the ROUTE target in userspace iptables (out of the box in debian). The ipt_ROUTE.c kernel module has been dropped from patch-o-maticand is not supported, therefore it is not built with new kernels> = 2.6.24. I ported it to new kernels and posted it on google code .
To install, you need to perform the following steps: As a result, we installed the ipt_ROUTE module for netfilter. Now we just have to organize the interface where we will send the removed traffic. This can be a physical interface, a vlan interface or a tunnel. Consider the simplest option shown in the figure: eth0 - inet addr: 10.10.10.2 an interface that looks on the Internet eth1 - inet addr: 192.168.1.1 an interface that looks at a local eth2 network - inet addr: 172.16.0.1 removal interface, all traffic that our gateway passes through will be duplicated
Add a virtual server that will receive our traffic.
We duplicate all traffic passing through the FORWARD chain to the address of the removal server 172.16.1.2:
After all the manipulations, we can analyze all traffic passing through our gateway; just connect to the eth2 interface.
In a similar way, you can easily analyze traffic coming from a web or mail server.
Initially, such a scheme was invented to analyze traffic inside encrypted PPtP and OpenVPN tunnels on a dedicated server.
In this scheme, we check all user traffic passing through the gateway. An intrusion detection system such as Snorm can be used for analysis.
To implement such a scheme, you need a kernelspace module for netfilter ipt_ROUTE and support for the ROUTE target in userspace iptables (out of the box in debian). The ipt_ROUTE.c kernel module has been dropped from patch-o-maticand is not supported, therefore it is not built with new kernels> = 2.6.24. I ported it to new kernels and posted it on google code .
To install, you need to perform the following steps: As a result, we installed the ipt_ROUTE module for netfilter. Now we just have to organize the interface where we will send the removed traffic. This can be a physical interface, a vlan interface or a tunnel. Consider the simplest option shown in the figure: eth0 - inet addr: 10.10.10.2 an interface that looks on the Internet eth1 - inet addr: 192.168.1.1 an interface that looks at a local eth2 network - inet addr: 172.16.0.1 removal interface, all traffic that our gateway passes through will be duplicated
$svn co iptroute.googlecode.com/svn/trunk iptroute
$cd iptroute
$make
$sudo make installAdd a virtual server that will receive our traffic.
#arp -i eth2 -s 172.16.1.2 00:00:00:00:00:01We duplicate all traffic passing through the FORWARD chain to the address of the removal server 172.16.1.2:
#iptables -t mangle -A FORWARD -j ROUTE --tee --gw 172.16.1.2After all the manipulations, we can analyze all traffic passing through our gateway; just connect to the eth2 interface.
In a similar way, you can easily analyze traffic coming from a web or mail server.
Initially, such a scheme was invented to analyze traffic inside encrypted PPtP and OpenVPN tunnels on a dedicated server.