This is my first instuctable. I was looking to create my home network intrusion detection system on a VM and was unable to find any instructions on how to do this. So I created my own and hope it helps some of you out. I apologize for the poor drawings. Please comment with any questions that you may. If you run into any issues I will do my best to help and address them for you.
Step 1: What Is Needed
WHAT IS NEEDED:
2 Routers ( only one needs wireless capability )
1 Smart Switch ( must be able to do port mirroring http://www.amazon.com/gp/product/B00K4DS5KU/ref=oh... )
VMware Workstation ( you can use other Virtual environments but this instructable uses Workstation 9 )
ISO of Security Onion http://sourceforge.net/projects/security-onion/fil...
Desktop with a minimum of 2 Ethernet ports.
Several Ethernet cables.
Step 2: Network Topology
Connect your first router to your modem and use 10.0.0.1 or any other internal IP address as your gateway but be aware that you will need to use a separate internal IP range for the next router.
Then connect the first router to Port 1 of your switch.
Port 2 of switch to second router with WIFI dhcp range is set to 192.168.0.1/24.
Port 3 of switch to your desktop.
And im using Port 8 to mirror Port 1 of the switch.
Step 3: How to Set Up the VMware Networking
In VMware Workstation 9 go to edit - Virtual Network Editor
The default contains three connections 1 bridged, 1 Host-only, and 1 NAT.
Click Add Network ( i did VMnet 2)
Set it to Bridged and select your second eth port for monitoring ( mine as and Intel port ).
Then click apply and OK.
Step 4: Setting Up Your Security Onion
I'm not going to go threw the full install of Security Onion on this instructable because there are plenty of other instructions out there. The image is the setting's that i used and make sure that you have created two Network adapters and that the second one is set to your new bridge VMnet that you created.
Step 5: Mirroring Port
TP-Link makes mirroring ports really simple.
The picture says it all.
Step 6: Running a Test
For me to verify that my IDS was working properly I used a laptop on the Wifi of the second router to run a nmap scan of both internal address spaces (10.0.0.1/24 and 192.168.0.1/24 )
Once that was complete I went onto my Security Onion box and into Snorby to verify that there were events logged.
And that's all there way to it.