Mirroring all router traffic (openwrt) to a snort sensor?

I want to mirror all traffic (also VPN, WLAN, WAN) from a consumer router (TPLink WR1043ND v.1.x) to a snort sensor located in the same network, but without extra hardware! The mirroring has to be done by the router (running OpenWrt Barrier Breaker).

Mirroring the WAN port of the router would even be supported by the current firmware, but the data of this stream is useless to me, because it does not contain the internal IPs of the devices connected to the router! I want the mirrored traffic from inside the router, with all internal IPs.

So, I quickly thought about tcpdump -i any. But to my knowledge it is not possible to configure 'tcpdump' to stream the mirrored traffic directly to the snort sensor? (without generating and saving enormous pcap-files to the harddrive)?

How do I solve this?

Appendix: Would this work with using iptables --tee option mirroring all traffic? I think I would need to install this 'TEE iptables extensions' ipkg or this 'Kernel modules for TEE' ipkg from the OpenWRT repository in order to work? Would this work or do I need something else?

openwrt

user3200534

Posted 2014-05-17T02:21:53.027

Reputation: 295

1This is a good question, and I'm curious to hear any answers. I've voted to have it moved to Superuser, though, as they're more experienced with consumer gear and alternate firmware like OpenWRT. – EEAA – 2014-05-17T02:52:51.247

Answers

Yes iptables TEE works. I have a tplink router and I am mirroring the traffic exactly for the same reason as you.

Install all the necessary modules and packages for TEE.

Assuming your monitoring IP address is 10.1.1.205, run:

iptables -A POSTROUTING -t mangle -o br-lan ! -s 10.1.1.205 -j TEE --gateway 10.1.1.205

iptables -A PREROUTING -t mangle -i br-lan ! -d 10.1.1.205 -j TEE --gateway 10.1.1.205

Methos

Posted 2014-05-17T02:21:53.027

Reputation: 156

A patch for OpenWrt to enable port mirroring on your hardware is available, though it has received only limited testing. You can, of course, apply and test it yourself.

Michael Hampton

Posted 2014-05-17T02:21:53.027

Reputation: 11 744

can you share details how would you apply this patch? – AK_ – 2018-11-10T20:30:55.417

@AK_ You wouldn't apply this patch. It is already present in current releases of OpenWrt since Chaos Calmer. – Michael Hampton – 2018-11-10T22:38:53.190

@MichaelHampton so basically we can do this by modifying the config files (no need for iptables); can you maybe update your answer and shade some lights on how to do this? – AK_ – 2018-11-12T09:53:40.957

I refered to this feature in my question. The problem is when mirroring the WAN port - you only get the public router IP and IP of the destination server. But I want the internal IPs of the clients and their exact connections to feed the snort sensor with. – user3200534 – 2014-05-17T03:32:34.273

If you want to mirror a different port, then you need to select that port! – Michael Hampton – 2014-05-17T03:38:23.213

Yes, you can choose between 1-4 LAN slots (ports). No WLan! No VPN! Only eth-ports at backside of the device or port 0 (= WAN). That is very far from all traffic of the router. – user3200534 – 2014-05-17T03:44:33.283

Hmm. I don't think you can mirror all traffic. This is, after all, a function of the hardware switch. So you won't get WLAN traffic, for instance, or traffic on virtual interfaces. Someone else in a similar situation may find this useful, though. – Michael Hampton – 2014-05-17T07:09:07.640

It is now possible to set up port mirroring on OpenWrt via the Switch configuration. This can either be done using the OpenWrt web interface (LuCI) by going to the Network->Switch menu then enabling 'Enable mirroring of incoming packets' and/or 'Enable mirroring of outgoing packets' and setting the desired interfaces. Otherwise this can be achieved by editing the switch section of the network config file (/etc/config/network).

Pierz

Posted 2014-05-17T02:21:53.027

Reputation: 880