1

Hello there, is there a way from iptables to forward all traffic to my IDS Suricata and also keep the regular flow, I have two interfaces and I did find how to do it with one interface.. example:

-t mangle -A PREROUTING -i eth0 -j TEE --gateway <your IDS IP>

but can I get all data from eth0 and forward it another server with my IDS using the interface eth1 while keeping the regular eth0 flow?

The reason for this is to have all IDS data in a different interface.

Thanks in Advance.

merge delete
  • 115
  • 1
  • 8

1 Answers1

1

I've tried doing this with iptables/netfilter and it didn't work. I also tried bridging the sniffing interface with a second NIC and that did not work. In the end I bought a Regen Tap to send data from a single SPAN session to 2 different IDS boxes. I also purchased a Shark Tap to sit between the edge router and switch. I plugged my IDS into the Shark Tap. I don't know if Shark Tap fails "open", but be aware using it inline may cause an outage if it burns up.

EDIT: You can also try your hand at a DIY network TAP but be aware you don't get (AFAIK) both TX and RX in the same stream. Only one or the other. It's kind of greasy but if you're only interested in either ingress or egress, it may be just the thing.

Server Fault
  • 3,454
  • 7
  • 48
  • 88
  • thanks for the response, but this is impossible since we have everything on AWS so has to be software base not hardware... – merge delete Dec 09 '16 at 22:22
  • Ahh, I see... How is `--tee` affecting the flow? As I understand, this is supposed to create a clone of the original packet. Also, `tc` may work: http://serverfault.com/questions/225178/copying-packets-from-an-interface-to-another – Server Fault Dec 12 '16 at 20:40