Skip to content

Instantly share code, notes, and snippets.

@gamba

gamba/00_merge_netflows.md

Last active January 18, 2021 18:13
Show Gist options
  • Save gamba/65a0d7b3860980652de6729821d48b65 to your computer and use it in GitHub Desktop.
Save gamba/65a0d7b3860980652de6729821d48b65 to your computer and use it in GitHub Desktop.
Download ZIP
Merging two network flows (vlan tagged and untagged) from a switch mirror port and use them as input for (multiple) IDS.
Raw
00_merge_netflows.md

Initial situation

  • A port on a switch is configured as port mirroring (SPAN) for the purpose of analyzing network traffic.
  • Due to the characteristics of the switch and its configuration the flow to be analyzed provided by the SPAN port is 802.1q untagged in one direction and tagged in the other.
  • The data flow coming from the switch should be merged into a single flow (802.1q untagged). It should also not be redirected back to the switch.

Tip

  • IDS host recieves port mirrored flow on port ens1f0: RX tagged flow + TX untagged.
  • The interface ens1f0.40 gets only the tagget flow (RX) and untags it.
  • Bridge br1 joins all three network flows: RX tagged flow + TX untagged + ens1f0.40 (same RX flow but untagged).
  • ebtables drop all the 802.1q tagged frames on br1.
  • ebtables drop all the flow transmitted back to the switch.
Raw
01_merge_netflows.yaml
network:
ethernets:
ens1f0:
dhcp4: false
vlans:
ens1f0.40:
id: 40
link: ens1f0
bridges:
br1:
interfaces: [ ens1f0, ens1f0.40 ]
version: 2
Raw
02_merge_netflows.sh
#!/bin/sh
# Configure BR1
brctl setageing br1 0
brctl setfd br1 0
# DROP all tagged frames from BR1: ens1f0 (TX untagged) + ens1f0.40 (RX untagged)
ebtables -t broute -A BROUTING -p 802_1Q -i br1 -j DROP
# DROP all TX frames from BR1 to switch
ebtables -t nat -A POSTROUTING -o ens1f0 -j DROP
ebtables -t nat -A POSTROUTING -o ens1f0.40 -j DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment