Saturday, February 22, 2020

Setting Up Suricata on an Ethernet Network Bridge with Pi 4

Setup

There should be three eth devices listed for ip a.
For our setup, eth0 will be the "management" network, and not participating in the bridge. eth1 and eth2 will be merged into a single bridged interface.

Bridge the Networks

Install bridge-utils.
sudo apt install bridge-utils
Edit /etc/dhcpcd.conf
denyinterfaces eth1 eth2

Edit /etc/networking/interfaces
auto br0
iface br0 inet manual
    bridge_ports eth1 eth2

Restart

ip a show br0
6: br0: broadcast mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0a:cd:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global noprefixroute br0
       valid_lft forever preferred_lft forever
    ...

Install Suricata

sudo apt install suricata


configuring Suricata rules is left as an exercise to the reader. There are lots of options that might work here.







Sense Traffic Over the Bridge






sudo iptables -I FORWARD -i eth1 -o eth2 -j NFQUEUE
sudo iptables -I FORWARD -i eth2 -o eth1 -j NFQUEUE










Become a Bump in the Wire




sudo iptables -I INPUT -i eth1 -j DROP
sudo iptables -I INPUT -i eth2 -j DROP
sudo iptables -I OUTPUT -o eth1 -j DROP
sudo iptables -I OUTPUT -o eth2 -j DROP






Save iptables Rules


apt install iptables-persistent


sudo iptables-save | sudo tee /etc/iptables/rules.v4












Set Suricata to Queue Mode





Edit /lib/systemd/system/suricata.service;

Modify the ExecStart line so it matches the following:




ExecStart=/usr/bin/suricata -D -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0




Restart Suricata




sudo systemctl restart suricata.service








References:




















Posted by



at