I'm trying to set up a snort IDS from my machine(opensuse 13.1) to monitor the entire network. When I run snort I am sniffing all the packets and monitoring all computers on the network, but I am only getting alerts for my machine. I want the alert file to alert me about ALL IP's. I also tried including specific IP adressess in HOME_NET and it would still only alert me about my opensuse machine.
My snort.conf:
HOME_NET 192.168.1.0/24
EXTERNAL_NET !$HOME_NET
output alert_fast: /var/log/snort/fast_alert.txt
I am using pulledpork for my one snort.rules file.
I run snort as so:
snort -d -c /etc/snort/snort.conf -vv
also, It might be important information that I do not have eth0 as a network device option.
How can I make snort alert me for all machines/IP's on the network?
Solution was port mirroring. I was only able to get traffic from my own switch. By using a network switch and port mirroring other IP's to my switch, I am now able to alert those IP's traffic!
Related
I want to monitor the inbound/outbound traffic of a VM inside ESXi through SNMP. I activated SNMP protocol on ESXi and can get information with snmpwalk and snmpget. But I don't know which OID is the wright one to get the network info of my desired VM.
I want to get some information like the ones that the following commands return inside ESXi shell:
esxcli network vm list
esxcli network vm port list -w
esxcli network port stats get -p
Any help is appreciated.
Make sure you've configured SNMP Agent properly: Configure SNMP for ESXi
ESXi supports all standard MIBs like IF-MIB, HOST-RESOURCES-MIB, BRIDGE-MIB and others.
Also it does support some vendor specific MIBs: VMWARE-RESOURCES-MIB, VMWARE-ENV-MIB and some others
I'm trying to block a certain IP address or range to reach my WordPress server that's configured on my Google Compute Engine server.
I know I can block it via Apache, but even if I do my access_logs will still be filled with 403 error from requests from this IP.
Is there any way to block the IP entirely and don't even let it reach Apache?
Thanks in advance for any help.
If you want to block a single IP address, but allow all other traffic, the simplest option is probably to use iptables on the host. The GCE firewall rules are designed to control which IP addresses can reach your instance, but allowing everything on the internet except one address would probably be annoying to write.
To block a single IP address with iptables:
iptables -A INPUT -s $IP_ADDRESS -j DROP
or to just drop HTTP (but not HTTPS or other protocols):
iptables -A INPUT -s $IP_ADDRESS -p tcp --destination-port 80 -j DROP
Note that you'll need to run the above command as root in either case.
By default all incoming traffic to GCE is blocked except for the ports and range of IPs that are allowed to have access. Allowing everything to connect except a specific IP or a range of IP addresses is not supported on GCE firewall. As a workaround, you can setup a Load Balancer and allow incoming traffic from the LB IP address only to the instance. You can have more information in this Help Center article.
Yes you can block it using Gcloud Firewall.
Try creating the firewall rule from the command line or by logging into Google Cloud.
Example:
gcloud compute firewall-rules create tcp-deny --network example-network --source-ranges 10.0.0.0/8 --deny tcp:80
Above Rule will block the range 10.0.0.0/8 to port 80 (tcp).
Same can be done to block other IP Ranges over tcp and udp.
For more info check this: glcoud network config
Bitnami developer here
If you want to block a certain IP, you can use iptables as it's pointed in this post.
Also, if you want to have your iptables rules active when you reboot your machine you have to do the following:
sudo su
iptables-save > /opt/bitnami/iptables-rules
crontab -e
Now edit the file and include this line at the end:
#reboot /sbin/iptables-restore < /opt/bitnami/iptables-rules
This way, in every boot, the system will load the iptables rules and apply them.
To block offending IP, there are some methods on different levels to do it. From performance perspective, generally :
Network firewall > VM iptables > VM web server > VM application.
Google cloud has build-in firewall that no cost.
For example, this gcloud command create one firewall rule that can block 1 or more ips.
gcloud compute --project=your-project-id firewall-rules create your-firewall-rule-name --direction=INGRESS --priority=900 --network=default --action=DENY --rules=all --source-ranges=ip1,ip2,ip3…
Command parameters' reference see here https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
You can also use Google cloud console or rest api to create it, but on console it's not easy to input lots of ips.
Build-in firewall's current limit:
One project can create 100 firewall rules.
One firewall rule can block 256 ip sources.
If there are 10 other firewall rules, you can block 90x256=23040 standalone ips, that is enough for general case.
Note: Google cloud app engine firewall is separated from build-in firewall.
Linux iptables
See other answers.
Web server
Apache, Nginx can also block ip.
Application
Not recommended block ip here. But application can help analysis which ip need to block, for example login failed many times.
If you want your system to automatically block all bad ip addresses in the GCP Firewall you can check out the Gatekeeper for Google Cloud Firewall.
It analyses your network connections and WordPress/Apache logs dynamically and creates approprate rules to ward off DoS and DDoS attacks as well as spying bots.
I want to find the MAC address of a device. Example: Plug a network cable from my linux mashine to the target device, send some command, receive MAC.
The best solution I have now is to connect a router to the device, wait for it to give out a dhcp lease, connect to the router via ssh and read out the lease table.
I understand that dhcp servers wait for a request from the device and then give out a lease but I would like to actively send some request to the device and get the MAC from the answer directly.
The biggest problem seems to be that without running a dhcp server I can't communicate with the device. Can this be done through a lower layer? Maybe an ARP request?
Thanks!
Ping the other device first and the run the command
arp -a
You can see the MAC address of the device you just pinged.
If you don't know the MAC address of a device the only way to communicate with it is via some sort of broadcast. This implies that there is some software active on the host listening for such a broadcast that will reply. This is how hosts (using ARP) resolve MAC addresses on the local network from an IP address. ARP won't work for you unless you know the IP address.
If you just have a device with no protocol support you're stuck.
If you're using linux, there is wireshark (or the CLI version tshark):
sudo apt-get install tshark
sudo tshark -i eth0
You will see every packet your laptop or the attached device is sending over that ethernet interface. Assuming the device is powered on, you will probably see the MAC address you are looking for somewhere in all of the low level network protocol spew. If you aren't getting much spew, try re-plugging the ethernet cable. (Sorry; I came here looking for a better answer myself)
We solved this by listening for packets from the target mashine and extracting the mac address from the first packet we get.
Thanks for all the answers though!
I have a host laptop running Debian, and a client VM running Debian. On the client, I run NGINX, and it serves up a complex web application with several hostnames (e.g. www.host, api.host, blog.host). The laptop moves between several different networks, with a seemingly ever-changing IP address.
I'm trying to meet the following conditions with this VM:
The IP address of the client shouldn't change (e.g. always 192.168.10.10)
With a static IP, I could edit the host /etc/hosts file and keep complex hostnames
The client should have access to the Internet
No other machines need to access the client
What is the best way to set up the Attached to settings for this client?
To do this, simply add two network interfaces to the box.
The first interface will use Host-Only, and that is how your host can connect to the client. This will create an additional network adapter on the host.
The second interface will use NAT, and that is the gateway to the internet. This will create an additional network adapter on the client.
If you've already got a client running, you'll need to get the next network adapter up and running by executing sudo ifconfig eth1 up and to get an IP address, run sudo dhclient eth1.
I can target a client IP address on my router like:-
iptables -I INPUT -s 123.456.7.89 -j DROP
Is it possible to target the IP of the access point the client device is connecting through instead (or the SSID since each access point has it's own).
I've been looking at the match flag but can't find anything there. Thanks.
The only way is to filter by mac address, but it's not so easy.
Please spend some times with this picture:
Using the MAC module extension for iptables from here
The side effect explained here occurs when the netfilter code is
enabled in the kernel, the IP packet is routed and the out device for
that packet is a logical bridge device. The side effect is encountered
when filtering on the MAC source in the iptables FORWARD chains.
As should be clear from earlier sections, the traversal of the
iptables FORWARD chains is postponed until the packet is in the bridge
code. This is done so we can filter on the bridge port out device.
This has a side effect on the MAC source address, because the IP code
will have changed the MAC source address to the MAC address of the
bridge device.
It is therefore impossible, in the iptables FORWARD chains, to filter
on the MAC source address of the computer sending the packet in
question to the bridge/router. If you really need to filter on this
MAC source address, you should do it in the nat PREROUTING chain.
Agreed, very ugly, but making it possible to filter on the real MAC
source address in the FORWARD chains would involve a very dirty hack
and is probably not worth it.