Introduction: Home Network Intrusion Detection System

This is my first instuctable. I was looking to create my home network intrusion detection system on a VM and was unable to find any instructions on how to do this. So I created my own and hope it helps some of you out. I apologize for the poor drawings. Please comment with any questions that you may. If you run into any issues I will do my best to help and address them for you.

Step 1: What Is Needed

WHAT IS NEEDED:

2 Routers ( only one needs wireless capability )

1 Smart Switch ( must be able to do port mirroring http://www.amazon.com/gp/product/B00K4DS5KU/ref=oh... )

VMware Workstation ( you can use other Virtual environments but this instructable uses Workstation 9 )

ISO of Security Onion http://sourceforge.net/projects/security-onion/fil...

Desktop with a minimum of 2 Ethernet ports.

Several Ethernet cables.

Step 2: Network Topology

Connect your first router to your modem and use 10.0.0.1 or any other internal IP address as your gateway but be aware that you will need to use a separate internal IP range for the next router.

Then connect the first router to Port 1 of your switch.

Port 2 of switch to second router with WIFI dhcp range is set to 192.168.0.1/24.

Port 3 of switch to your desktop.

And im using Port 8 to mirror Port 1 of the switch.

Step 3: How to Set Up the VMware Networking

In VMware Workstation 9 go to edit - Virtual Network Editor

The default contains three connections 1 bridged, 1 Host-only, and 1 NAT.

Click Add Network ( i did VMnet 2)

Set it to Bridged and select your second eth port for monitoring ( mine as and Intel port ).

Then click apply and OK.

Step 4: Setting Up Your Security Onion

I'm not going to go threw the full install of Security Onion on this instructable because there are plenty of other instructions out there. The image is the setting's that i used and make sure that you have created two Network adapters and that the second one is set to your new bridge VMnet that you created.

Step 5: Mirroring Port

TP-Link makes mirroring ports really simple.

The picture says it all.

Step 6: Running a Test

For me to verify that my IDS was working properly I used a laptop on the Wifi of the second router to run a nmap scan of both internal address spaces (10.0.0.1/24 and 192.168.0.1/24 )

Once that was complete I went onto my Security Onion box and into Snorby to verify that there were events logged.

And that's all there way to it.

Comments

author
somnitek made it! (author)2016-05-18

Hi Scott,

Trying to implement your design with some minor modifications.

So, instead of 2 routers, I have one Netgear R700, one TP-LINK switch (same model as mentioned), and a laptop with the S.O. distro installed. I actually installed it using Suricata, so I might have to switch it to Snorby,l. Anyway, I'm assembling it as we speak. Can you forsee any reason this config won't work, or what I might need to change?

I know, it's a SUPER general, possibly too vague, kind of question, maybe, so I'll be back with more specific questions, but I would SUPER appreciate any advice you might have. Thanks for the Instructable, scottrp21! You're awesome! ?

author
scottrp21 made it! (author)scottrp212016-05-18

A few thoughts about your configuration. If you have your network set up modem -> router/wifi -> switch -> everything else. If your S.O. box is on your switch on a mirrored port then you wont see any of the traffic that is on your wifi. That is why I had to run the two routers one to nat my network and one for wifi so the S.O. box would see the traffic. The hardest thing with doing S.O. on a laptop is that you only have one NIC which means you have not management interface.

author
MatthewK61 made it! (author)2016-01-09

A lot of motherboards have a built in ethernet port and/or a built in wifi, you can pull this off with one strong layer 2 switch that can vlan/span and one router with wifi/ethernet so long as the modem can reach the router through the switch, ie: wan <> modem <> switch <> router <> PC/other-devices. You have a span port on the switch that sniffs traffic on the wan and sends it out one of its spanned ports to your physical nic on the computer. Your computer is on the wifi with the router. The layer 2 switch has 2 ports on the same vlan, one of the ports goes to the modem ethernet port, the other goes to what is normally called the wan port on the router. This gives lan connectivity over the wifi for the computer to the router, span port off the layer 2 to the computer, make the wifi the primary. If you use a netgear prosafe gs108E (layer 2 switch) with spanning capabilities then you'll want to make sure one of the lan ports on the router goes to another of the ports on that layer two switch and that this port on the layer two switch is the management port (this probably should be setup first so you don't lose sight of it).

I heavily prefer wired connectivity for all lan comms though, so two physical nics is prefered (healthier and more secure traffic).

author
seamster made it! (author)2015-02-23

Hey, welcome to instructables!

Thank you for sharing your first project here. So how did this all turn out? Did everything work as planned?

author
scottrp21 made it! (author)scottrp212015-02-23

Everything worked out good it saved a ton of money not needing a dedicated Hardware machine.

About This Instructable

7,827views

48favorites

License:

More by scottrp21:Home Network Intrusion Detection System
Add instructable to: