Mirroring all router traffic (openwrt) to a snort sensor?

openwrt

I want to mirror all traffic (also VPN, WLAN, WAN) from a consumer router (TPLink WR1043ND v.1.x) to a snort sensor located in the same network, but without extra hardware! The mirroring has to be done by the router (running OpenWrt Barrier Breaker).

Mirroring the WAN port of the router would even be supported by the current firmware, but the data of this stream is useless to me, because it does not contain the internal IPs of the devices connected to the router! I want the mirrored traffic from inside the router, with all internal IPs.

So, I quickly thought about tcpdump -i any. But to my knowledge it is not possible to configure 'tcpdump' to stream the mirrored traffic directly to the snort sensor? (without generating and saving enormous pcap-files to the harddrive)?

How do I solve this?

Appendix: Would this work with using iptables --tee option mirroring all traffic? I think I would need to install this 'TEE iptables extensions' ipkg or this 'Kernel modules for TEE' ipkg from the OpenWRT repository in order to work? Would this work or do I need something else?


Solution 1:

Yes iptables TEE works. I have a tplink router and I am mirroring the traffic exactly for the same reason as you.

Install all the necessary modules and packages for TEE.

Assuming your monitoring IP address is 10.1.1.205, run:

iptables -A POSTROUTING -t mangle -o br-lan ! -s 10.1.1.205 -j TEE --gateway 10.1.1.205

iptables -A PREROUTING -t mangle -i br-lan ! -d 10.1.1.205 -j TEE --gateway 10.1.1.205

Solution 2:

A patch for OpenWrt to enable port mirroring on your hardware is available, though it has received only limited testing. You can, of course, apply and test it yourself.

Solution 3:

It is now possible to set up port mirroring on OpenWrt via the Switch configuration. This can be done using the OpenWrt web interface (LuCI) by going to the Network->Switch menu then enabling 'Enable mirroring of incoming packets' and/or 'Enable mirroring of outgoing packets' and setting the desired interfaces (The 'Mirror source port' is where you want to mirror traffic from and the 'Mirror monitor port' is where it is mirrored to). It may also be necessary to alter VLAN settings on the switch interface and the monitor interface on the monitoring device to see the traffic of interest

Otherwise this can be achieved on the command line by editing the switch section of the network config file (/etc/config/network).

Update: With the newer versions of OpenWRT (v21 onwards) on some platforms they have started migrate to the new Distributed Switch Architecture (DSA) which is controlled via the Interfaces UI. It can also be configured on the command line using tc command to configure the mirred action the appropriate ports.

Note: There are often limitations to port mirroring as the switch hardware in many platforms may not connect directly to all interfaces - this means that you might only be able to mirror LAN or WAN traffic. But you should be able to setup some iptables rules (as desicribed above) to redirect/mirror that remaining traffic.

Related

Why is compression not recommended in OpenVPN?
Windows Media Player 12 thinks tracks from the same album are from seperate albums
Protecting a cell, but allowing the drop down list to work
disable spell check when sending code in Outlook
Public Network to AWS (VPC or anything else) to Home Lab Network
Windows 10: how to uninstall a program that I (unwisely) removed from the Programs and Features list?
Cannot ping a Windows 11 machine
Can I do a fresh/reinstall of an OEM PC with the bought Product Key? [duplicate]
SSDP replies from 192.168.1.1. What exactly is at this ip address?
Firefox re-allow `alerts`?
Is there a .k5login equivalent on Windows?
Separating nested RDP sessions