Home Network Setup to Monitor Traffic via Snort

I have a decent background in linux, however, I severely misunderstand networking fundamentals. I am trying to set up a home environment where my Virtual Box RedHat box monitors all the traffic on my network via Snort.

On the left you can see my current setup, however, I was wondering specifically how I could achieve the setup on the right? That is, how can I set it up so that all traffic passed through my RedHat OS w/ Snort? RedHat OS is set to receive its IP address from the router (192.168.1.200) as set in the router DHCP settings.

Thank you for your help!

Nathan_Sharktek

Posted 2015-11-19T00:12:55.763

Reputation:

Ideally you would monitor your network with a network tap that has no IP address. It would go between your router and modem, more like this: https://clayshek.files.wordpress.com/2008/04/snort_diagram1.jpg

– Neil McGuigan – 2015-11-19T00:32:40.730

1This is more of a network setup question than a security question. – schroeder – 2015-11-19T04:34:53.270

@Neil-McGuigan, Snort can be more than an NIDS; it can also be an IPS. He may be looking to use Snort to actively disrupt detected malicious traffic. A tap won't let Snort step in to prevent an attacker's packets from getting through. And a read-only tap (like the HakShop Throwing Star) wouldn't even let Snort send RST packets. – John Deters – 2015-11-19T15:32:42.037

Answers

you could plug all yours devices on a switch and connect your redhax between your switch and your router. For your iphone in wifi be sure your AP is same side of the redhax and not on your router.

Or, if possible with your router, you can mirror the traffic of the interface between the router and the modem on the interface of your redhax-snort

Sorcha

Posted 2015-11-19T00:12:55.763

Reputation: 196

May i ask what soft you used to make this network diagram ? – Froggiz – 2015-11-19T09:38:44.840

1@Froggiz I use Microsoft Visio for my diagrams – Sorcha – 2015-11-19T09:42:22.163

You can get a new Switch, as pointed out by @Sorcha or you can also do some routing magic to virtually create that desired environment(atleast at the Network layer) using just your current setup.

Make the IP address of your snort machine Static and set the default gateway as the internal IP of your router.
Enable IP Forwarding in the snort machine(you will need it regardless)
Change the Default Gateway in all of your other Devices to this new Static IP address of that Snort device.

the above will make your snort device as a router and the traffic from all the other devices will be sent through that snort device.

JOW

Posted 2015-11-19T00:12:55.763

Reputation: 121

he may also have to deal with DHCP. Most home routers will serve up DHCP clients with themselves as the default gateway. If he can reconfigure the router to provide the Snort device's IP address as the default gateway, then get his devices to renew their leases, anything new he adds should 'just work'. – John Deters – 2015-11-19T21:33:28.743

you are right @John Deters, he has the option to also use static IP addresses on all the devices to eliminate the need for DHCP but at that point, the whole thing becomes more of a short time hack than a usable manageable setup. Still, this option is out there if he is curious enough to try. hopefully he is not addicted to snorting stuff. – JOW – 2015-11-20T09:40:25.977