1

I have an IDS setup as follow:

Hardware / interfaces

WAN <----(brwan)> ROUTER / AP <(br0)----> LAN
                                    \
                                     -----(eth1)> |
                                      \           | IDS device listening on eth1
                                       ---(eth0)> |

On the router, I use these iptables rules to tee the traffic to the IDS:

-A INPUT ! -s IDS_ETH1_IP/32 ! -i lo -j TEE --gateway IDS_ETH1_IP
-A FORWARD ! -s IDS_ETH1_IP/32 ! -d IDS_ETH1_IP/32 -j TEE --gateway IDS_ETH1_IP
-A OUTPUT ! -d IDS_ETH1_IP/32 ! -o lo -j TEE --gateway IDS_ETH1_IP

IDS_ETH1_IP is a fixed IP, outside of my LAN subnet.

Still on the router, the route to IDS_ETH1_IP is set:

~$ ip r s
(…)
IDS_ETH1_IP dev br0 scope link

On the IDS device, eth1 is setup this way:

~$ ip a s dev eth1
3: eth1: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether IDS_ETH1_MAC brd ff:ff:ff:ff:ff:ff
    inet IDS_ETH1_IP/32 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever

With the following commands to make sure it is only a listening device:

ip link set dev eth1 multicast off
ethtool -K eth1 gro off gso off lro off rx off rxvlan off sg off tso off tx off txvlan off
ethtool -G eth1 rx 4096

iptables -t raw -F PREROUTING
iptables -t raw -A PREROUTING -i eth1 -j DROP

Note: I need to leave ARP on on the interface, because if I enable NOARP, then the MAC is unknown by the various switches, and therefore the packets are teed to every device/interface on the LAN (except WiFi).

And sysctl settings (still on the IDS device):

net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.accept_source_route = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth1.promote_secondaries = 0
net.ipv4.conf.eth1.secure_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth1.shared_media = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.all.arp_ignore = 1

all.arp_ignore is essential to force the interfaces to only answer to their own arp queries.

Software

On the IDS device, I have installed Suricata (listening to eth1 with AF_PACKETS) and Filebeat to ship the data to another device on my LAN that has an ELK docker stack (Elasticsearch, Kibana and Evebox).

It took me a little while to set all of that up and finally reach the setup described here, and it works quite well.

The question

Now, the great thing about using iptables TEE rules on the router, is that I decide where to tap. I do after my firewall rules on the WAN side (no need to have alerts for already blocked packets), and it allows to know where the packets are going/coming from in the LAN with what is tapped on the FORWARD table. It also taps what is going in and out of the router itself (INPUT / OUTPUT).

What I would like to do, is find a way to separate on the log what is tapped on the LAN side from the WAN side. I could elaborate the iptables rules to separate -i brwan, -o brwan and -i br0, -o br0 for example, this is easy enough, but how to distinguish these in the packets being teed? Marking packets does not go between devices. Maybe on the IDS device creating sub-interfaces of eth1 with different IPs and MACs? and tee accordingly? If I do that, how to create different virtual devices with filebeat so I can differentiate them in kibana?

Any idea on what I could do to reach that? And to improve my IDS system with what I have?

Thank you.

0 Answers0