–intf1=eth1 will replay traffic from pcap to target interface “eth1” which is the monitor interface created earlier. f will follow the file (never stop reading, wait for more data) c +0 will start from the beginning of the file ssh "/usr/sbin/tcpdump -i eth0 -w /dev/stdout -U 2>/dev/null" | tcprewrite -mtu-trunc -infile=-outfile=/dev/stdout 2>/dev/null | tail -c +0 -f 2>/dev/null | tcpreplay -intf1=eth1 -topspeed - 2>/dev/null Make sure you filter out unwanted traffic. If you know of any way to improve on this solution let me know! It never saves a thing to disk and only uses standard in and out to send the traffic to the target interface. We also need to use tcprewrite to write the correct MCU to the pcap file. Start a screen terminal (or just start another ssh session) to run tcpdump on the remote machine through ssh. To simplify the process of remote SSH access, create and add the public SSH key from the Security Onion server to each monitored systems “seconion” users authorized_keys file. seconion) on each monitored system, add them to a newly created group and change the group of “/usr/sbin/tcpdump” to this newly created group, then edit the permissions on the binary so members of the group can run the command. To make sure it is added at startup, add this to your /etc/rc.local file.Īdd this to /etc/rc.local to create the interface on startup # rc.local #Īn optional step is to add specific users to each monitored system to be used only for tcpdump. ip link add dev eth1 type ip link set eth1 promisc on arp off up On the Security Onion server we will create an additional dummy interface and set it to promiscuous mode, this will be the monitor interface for Security Onion. In my case I have two interfaces per machine, one for transmitting the network traffic and one for production. – 1 Linux machine running Security Onion on Amazon AWS – 1 Linux machine running a web server on Amazon AWS The servers being monitored are all t2.micro instances. This particular solution is running on Amazon AWS and the Security Onion server is running as a t2.large EC2 instance. Make sure you choose your cloud instance accordingly. Be careful since this approach will require extra resources as it runs tcpdump, tcpreplay and tcprewrite.
#INSTALL TCPDUMP AMAZON LINUX AMI FULL#
The monitoring system in this case is Security Onion (), a great open-source Network Security Monitoring system (NSM) with features like full pcap capture and Intrusion Detection Systems. This blog-post presents a way of mimicking the features of port mirroring by configuring a Linux device without relying on physical hardware (this won’t work on Windows!).
#INSTALL TCPDUMP AMAZON LINUX AMI SOFTWARE#
Since it would be expensive to buy monitoring software with full potential and implement it in the cloud, we need to find a cheap way to do this without changing the infrastructure. For medium and large companies this problem can be fixed by buying expensive products, but small companies don’t have the same budget and are more than often relying on open-source software to keep cost to a minimum. This often makes it impossible to get the same features you would in a physical network like port mirroring for monitoring network traffic in real-time. This is because the cloud instances you’re running aren’t really connected to a real network, but to a virtualized version of one. As more and more businesses are moving their infrastructure from physical on premise devices to cloud services they are hitting obstacles when it comes to monitoring their cloud-infrastructure.
0 kommentar(er)
