OpenWrt Forum Archive

Topic: IDS with WRT1900ACS

The content of this topic has been archived on 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

I'm planning on running an IDS on a VM connected to a vm-bridge via a lan-port on the OpenWrt.
The way i have done it before is to mirror all traffic to the IDS. Is this possible with OpenWrt, and if so, how.
Is iptables TEE a possible solution?

Any advice?

As I understand it the switch on that unit should support port mirroring, and so probably vlan would be the preferable method of implementing IDS.

I have not found any public build that has implemented port mirroring on the switch. I guess it must be enabled at driver-level?

Here's my options for swconfig:

root@OpenWrt:~# swconfig dev switch0 help
switch0: 10.mvsw61xx(MV88E6176), ports: 7 (cpu @ 5), vlans: 64
     --switch
    Attribute 1 (int): enable_vlan (Enable 802.1q VLAN support)
    Attribute 2 (none): apply (Activate changes in the hardware)
    Attribute 3 (none): reset (Reset the switch)
     --vlan
    Attribute 1 (int): port_based (Use port-based (non-802.1q) VLAN only)
    Attribute 2 (int): vid (Get/set VLAN ID)
    Attribute 3 (ports): ports (VLAN port mapping)
     --port
    Attribute 1 (string): mask (Port-based VLAN mask)
    Attribute 2 (int): qmode (802.1q mode: 0=off/1=fallback/2=check/3=secure)
    Attribute 3 (int): pvid (Primary VLAN ID)
    Attribute 4 (unknown): link (Get port link information)

Did you know there are snort packages available for OpenWrt? Potentially IDS/IDP built in and configurable.

Thanks, I will look into that!

Just looked at the snort packages, and is advertised as NIDS, so I must leave the P off sad

If the snort package compiles without issue, I'll upload to my site.

@davidc502

I did give it a try some time ago, but i didn't succeed.
Out of experience running an IDS is resource-demanding when having 100 Mbit downlink, so I would prefer having this on a separate machine.

Although Snort is good, I will be using Suricata if I get some sort of mirroring/tee to work.

Thanks for helping out smile

ominator wrote:

@davidc502

I did give it a try some time ago, but i didn't succeed.
Out of experience running an IDS is resource-demanding when having 100 Mbit downlink, so I would prefer having this on a separate machine.

Although Snort is good, I will be using Suricata if I get some sort of mirroring/tee to work.

Thanks for helping out smile

Understand completely.

Best Regards,

@aafj

Thanks for the tip.
It actually works, but just for a short time. I can see all the pakages flowin in on the IDS-VM.

root@OpenWrt:~# port-mirroring --debug
2016-05-22 23:38:22[info] port-mirroring::main, mirroring_type:[remote][TEE], mirroring_source_num:[1], target:[192.168.3.100], filter:[], opt_promiscuous:[1].
2016-05-22 23:38:22[info] getSenderInterface, device=[eth1.3], mac=[c05627******].
2016-05-22 23:38:23[info] getRemoteARP, filter=[arp host 192.168.3.100], device=[eth1.3], remote mac=[326538******].
2016-05-22 23:38:23[info] port-mirroring::reopenSendHandle eth1.3 success.
2016-05-22 23:38:36[info] port-mirroring, 1000 packets mirrored.
Illegal instruction

I have no idea what this 'Illegal instruction' is. Maybe it's because of IPv6 or something?
The creator states though that it's only tested for Atheros AR71xx/AR724x/AR913x/AR9344 or "ar71xx".

The discussion might have continued from here.