EasyIDS or Snort requires SPAN port or network TAP to capture the traffic from the outside or inside world. DIY network TAP is only for 10/100M traffic. If you are using gigabit network, you are required to buy a commerical TAP. However, you are very hardly to buy a network TAP in Hong Kong.
You got a good news that OpenBSD solves your problem. You can make a gigabit network TAP very easy with OpenBSD and 3 network interfaces. I suggest you to buy 2 identical chipset network cards and one with the other chipset. For example, I bought 2 pieces of Planet Realtek network card and one D-Link. The D-Link network card is for data flow capturing.
Step 1 :
Install OpenBSD 4.4 (the current version at the time of this writing) as is. The instruction can be found at the offical website http://www.openbsd.org. The Realtek cards with the name of “re0” and “re1” while D-Link card is “sk0”. Give IP to “re0” as 192.168.5.1 and “re1” as 192.168.5.2 as well as “sk0” as 192.168.5.10. Time server is not required.
Step 2 :
Log in as root. Issue the following commands :
ifconfig bridge0 create
brconfig bridge0 add re0 add re1 up
brconfig bridge0 addspan sk0
Step 3 :
Connect the ZeroShell and ISP/ADSL to the Planet cards of OpenBSD box. The network card with no IP of EasyIDS to the D-Link card.
That’s all.
Filed under: General, OpenBSD | Leave a Comment »
