I am still waiting on purchasing a new to me system for my security onion setup. In the meantime I have added an additional NIC to my main computer and set up a SecurityOnion VM.
The plan was to use the additional NIC to mirror the main ethernet cable from my router (EdgeRouter Lite) to the switch (TP LINK SG2008)
In the TP-LINK I setup port 1 Ingress/Egress to be mirrored to port 8 and ran a new ethernet cable from port 8 to the new NIC on the PC. Next, I installed the SecurityOnion VM, and make all the necessary updates to the system.
Using the two NICs, one setup as management, and the second in promiscuous mode. After this, I opened up Kibana to see the traffic. On a side note, I have not used ELK stack often more used to Splunk but was able to get a general first impression.
One thing I noticed was my internet speeds also were drastically slower, but I think this was just timing and not directly related to the port mirroring. I undid all my changes to my NIC card just in case, and tested speeds from my router (4mbs) when I should be getting 150mbs per my internet provider.
Later that evening, my speeds returned with no real changes by me. So I will go back and re-setup the switch, and continue to ingest data.
Future plans:
Ingest IBM X-Force Intel Feeds
Ingest AlienVault OTX Intel Feeds
Setup Splunk forwarder
Install Splunk (new VM)
MITRE ATTA&K Framework
The plan was to use the additional NIC to mirror the main ethernet cable from my router (EdgeRouter Lite) to the switch (TP LINK SG2008)
In the TP-LINK I setup port 1 Ingress/Egress to be mirrored to port 8 and ran a new ethernet cable from port 8 to the new NIC on the PC. Next, I installed the SecurityOnion VM, and make all the necessary updates to the system.
Using the two NICs, one setup as management, and the second in promiscuous mode. After this, I opened up Kibana to see the traffic. On a side note, I have not used ELK stack often more used to Splunk but was able to get a general first impression.
One thing I noticed was my internet speeds also were drastically slower, but I think this was just timing and not directly related to the port mirroring. I undid all my changes to my NIC card just in case, and tested speeds from my router (4mbs) when I should be getting 150mbs per my internet provider.
Later that evening, my speeds returned with no real changes by me. So I will go back and re-setup the switch, and continue to ingest data.
Future plans:
Ingest IBM X-Force Intel Feeds
Ingest AlienVault OTX Intel Feeds
Setup Splunk forwarder
Install Splunk (new VM)
MITRE ATTA&K Framework
No comments:
Post a Comment