I am trying to set up a Snort IDS on a virtual machine for my lab. My problem is that normally, these kinds of IDS are connected to the mirrored port of a switch. My lab has no such device. Here is my topology:
[Internet]->[Linux Firewall+NAT]->[Local Subnets]
I would like to connect my Snort VM (conected to my 192.168.0.0/24 subnet) to my Linux Firewall, is there a way, using IPTABLES or something alike, that I can achieve this?
(It might not be possible since we want to listen to Trasport Layer frames...)
Or would it be possible to collect data on my firewall and have my Snort VM analyse it remotely?
What are my options here?
Thank you for sharing you knowledge!