Re: [qubes-users] How To Set Up Traffic Mirroring To Security Onion

Thu, 30 Apr 2020 11:09:25 -0700 

Hi,
Duknow if make actual sense on Qubes, but i used the following successfully on XenServer/XCP-ng, inbound traffic is not visible to SecurityOnion otherwise as originally targetting the tapped network from my understanding: 

https://blog.rootshell.be/2013/09/09/xenserver-port-mirroring/

Hope that helps,

Peace!


On 29/04/2020 15:28, 'Zsolt Bicskey' via qubes-users wrote:



I am building a lab inside QubesOS. I have two gateways, two 
firewalls. Behind the pentest-firewall I want all machines to see each 
other. Since I have both Win and Linux machines and for simplicity's 
sake I am doing this from the firewall.



On top of this I have a Security Onion running to capture all traffic 
internal to internal and internal to external. I have PolarProxy 
installed on it to decrypt HTTPS traffic 
(https://www.netresec.com/?page=Blog&month=2020-01&post=Sniffing-Decrypted-TLS-Traffic-with-Security-Onion)



*This rule opens up all internal communication on the pentest-firewall:*

iptables -I FORWARD -i vif+ -o vif+ -j ACCEPT

*These rules should forward all HTTPS to the Security Onion:*


iptables -A FORWARD -i eth0 -d 10.137.0.24 -p tcp --dport 10443 -m 
state --state NEW -j ACCEPT



iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 
10.137.0.24:10443



iptables -t nat -A POSTROUTING -o eth0 -d 10.137.0.24 -p tcp --dport 
10443 -j MASQUERADE


*Important IPs/Details:*

SecurityOnion 10.137.0.24

Security Onion interface eth0

Firewall IP: 10.137.0.6

*QUESTION*


How can I set up full traffic mirroring to that Security Onion 
machine? It's easy with a physical switch but I cannot make it work 
with iptables. Please help.





--

You received this message because you are subscribed to the Google 
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to qubes-users+unsubscr...@googlegroups.com 
<mailto:qubes-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/78x2nonu3gggbCdEbEiYRDG03EeDX0TS7Uhd9wSTMo_FAf3wjmjIfP6i4Q8sKu5EmRxoKE-FsaLckb0zt_eOQGrtfC-ASPdg3r1hi8Oyepo%3D%40protonmail.com 
<https://groups.google.com/d/msgid/qubes-users/78x2nonu3gggbCdEbEiYRDG03EeDX0TS7Uhd9wSTMo_FAf3wjmjIfP6i4Q8sKu5EmRxoKE-FsaLckb0zt_eOQGrtfC-ASPdg3r1hi8Oyepo%3D%40protonmail.com?utm_medium=email&utm_source=footer>.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/21956a8a-2bac-98e8-0bf9-455d5d2a40f6%40dofishswim.com.






















					Reply via email to