One day, while I watched my router's led blinking, I just wondered "What is happening on my wire ?"
From this point, I decided to check it by my self. And now my goal is to give you a simple but powerful tool to monitor you network again malicious behavious and emerging threats.
It is composed of two containers :
- probe : it captures network traffic and convert it into CSV file
- analytics : it takes CSV file and process it.
The analytics is not currently working but it is planned.
You must be aware of what you are doing. In any case I could not be held responsible. In particulary, you should be aware of :
- The probe will store all data available on the wire and it converts it into metadata. It means you can see things and stuffs you would not had seen. Even if many data are today ciphers, dns are not so porn sites or extra marital dating sites will be stored.
- In some country, doing that may be illegal.
- This probe was designed to be cheap and easy to do. I don't think it can manage 100 Mbs network at full speed.
- Even experts may miss attacks on a network so do not imagine that an algorithm is perfect. The better protection you may have is yourself !
You have been warned, so now let's play :)
At first you must have this stuff :
- a raspberry pi 3 board (I hadn't tested other board)
- a 16 Gb board
- a good - reliable - power supply
- two usb to ethernet adapters
- optionnal but highly recommanded : a usb key or an usb hard drive
You shouldn't NOT use the SD card as a storage. It is very slow, unefficient and you will dramatically decrease its life time.
I am using Rasbian lite and the installation process is well explained.
A good tips is about booting without HDMI : set hdmi_force_hotplug=1 in config.txt before insert it.
By default, ssh is enable with user=pi and password=raspberry.
I try to make thing as easy as possible. I use Docker but I would also need to use Ainsible the front line installation.
I will do in a future. Sorry.
Many strategies exist - in your case - to capture the traffic :
-
TAP (Test Acces Point) : on you internet connection, you can put a TAP that copy bit by bit data on the wire. DIY version can me found here. Warning : this type of equipment may be classifed as weaponary in some country !
-
Bridge : by using two network interfaces you make an almost transparent connection.
-
Routing : About the same as bridge bu not transparent; using iptable you can add rules for routing and even rules to protect you network (see IDS vs IPS).
-
Port mirroring : some routers can make port mirroring
For my needs, I decided to use bridge version. It is the simplest in this case and do not need specific stuff. You can test other configuration if you are curious (IMO it's very interesting !).
So how to make a network bridge ? At first plug both USB to ethernet adapters; Then ifconfig : you should see eth0, eth1 and eth2, at least. At last, do :
- install bridge-utils
- add this to /etc/network/interfaces :
auto br0 iface br0 inet dhcp bridge_ports eth1 eth2 bridge_stp off bridge_waitport 0 bridge_fd 0 bridge_maxwait 0
- service network restart
- check that br0 is existing with ifconfig
Now you can man-in-the-middle you internet traffic. Check that you still have an internet connection.
As I explained in the hardware listing, you should have an external storage. In my case I use an USB key - not the best choice - as storage. To mount it, I do :
- mkdir /data
- Add to /etc/fstab :
/dev/sda1 /data/ ext4 defaults 0 0
You can also make a SSHFS to a NAS for example if you want. I love SSHFS. A great thank you to SSHFS team - you make my day every day.
You need to install docker. For that, as root :
- wget on https://get.docker.com/
- run the script
- gpasswd -a pi docker
- service docker restart
- logout and login as pi
A makefile should be added to make it easier. For both components, go to its directory and docker build -it {probe,analytics} ..
You can clone on you desktop or on raspberry directory but do not try to build an image on you desktop ("oh great, i will use docker {load,save}" - Nope) : the instruction set (ARM vs X86) is different. You will have to build it on you raspberry and it takes many time !
It is quiet easy :
docker run -d -p 9001:9001 --cap-add=NET_ADMIN --net=host -v /data:/data -it probe
Now on 127.0.0.1:9001, you can watch the supervisor interface : both capture and process is running.
The directory /data/csv/yyyy-mm-dd/ will contains .csv file.
TODO