Hello guys, can you help me please? I want to run suricata installed in the LXC Container (Ubutnu 20.04) and send all it’s logs for processing to VM running on my laptop. I want it to see all trafic that goes through the Omnia. What I need help with is:
Has any of you tried to achieve same thing? Did you succeeded? What steps did you take to get there?
What’s the best network setup for this purpose? Just assign all interfaces of the Omnia to LXC container with suricata and set them to promiscuous mode?
I’ve read these documents but still missing some pieces of information I guess:
So it seems I only need to monitor the br-lan interface to see all the traffic on my LAN. The blog.ry2L tutorial might be it. But it seems I’m still missing something.
I’ve created a new interface on TO defined in the /etc/config/network config as follows:
config interface 'monbrlan'
option proto 'none'
option force_link '1'
then I installed daemonlogger and tried to run it but even though I got no error I could only see broadcast traffic on my eth0 iface inside the LXC container.
daemonlogger -i br-lan -o monbrlan
I then tried installing port-mirroring package. I configured it using /etc/config/port-mirroring:
config 'port-mirroring'
option source_ports 'br-lan,br-guest_turris' # interfaces (maximum of 4) to copy packets from
option promiscuous '1' # put source interface(s) in promiscuous mode
option target '[IP_of_LXC_machine]' # interface or IP address to send packets to
option protocol 'TEE' # 'TEE' iptables (default) or 'TZSP' TaZmen Sniffer Protocol
option filter '' # optional tcpdump/libpcap packet filter expressions
OK. So I gave up. I uninstalled Pakon (didn’t seem of much use to me), destroyed LXC container and installed suricata, suricata rules and syslog-ng. Then I configured syslog-ng to send all logs to my VM with ELK running on my laptop. That might work. Now it will need some tuning, I guess.
