How to connect a Raspberry Pi IDS to the home router to detect intrusions network wide?












1















I'm configuring a raspberry pi IDS/IPS with ELK stack on a separate machine, my problem is to connecting it to the router in a way it can read traffic on the whole network and drop the suspicious packets.



The way I came up with is to configure Pi as a network gateway, connect it to the router through the Ethernet and force all the devices through that. I was wondering if there is a better solution.










share|improve this question





























    1















    I'm configuring a raspberry pi IDS/IPS with ELK stack on a separate machine, my problem is to connecting it to the router in a way it can read traffic on the whole network and drop the suspicious packets.



    The way I came up with is to configure Pi as a network gateway, connect it to the router through the Ethernet and force all the devices through that. I was wondering if there is a better solution.










    share|improve this question



























      1












      1








      1








      I'm configuring a raspberry pi IDS/IPS with ELK stack on a separate machine, my problem is to connecting it to the router in a way it can read traffic on the whole network and drop the suspicious packets.



      The way I came up with is to configure Pi as a network gateway, connect it to the router through the Ethernet and force all the devices through that. I was wondering if there is a better solution.










      share|improve this question
















      I'm configuring a raspberry pi IDS/IPS with ELK stack on a separate machine, my problem is to connecting it to the router in a way it can read traffic on the whole network and drop the suspicious packets.



      The way I came up with is to configure Pi as a network gateway, connect it to the router through the Ethernet and force all the devices through that. I was wondering if there is a better solution.







      network ids raspberry-pi






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 14 at 10:21







      Vidura supun

















      asked Jan 14 at 6:37









      Vidura supunVidura supun

      83




      83






















          2 Answers
          2






          active

          oldest

          votes


















          4














          If you want to passively monitor the whole network a monitor port on the router or similar would be sufficient - although most common home routers (the ones with WLAN and cable/DSL modem in it) don't have anything like this.



          If you want to monitor data and also actively block traffic the IDS has to be in the path of the traffic. This means it either needs to be setup as the gateway for all systems in the internal network and then forward the traffic to the router, or the router remains the gateway but the IDS is between the router and the ISP. In the latter case the Raspi needs to care about the ISP connectivity too, i.e. it needs to have the physical ability (which might require a DSL, cable or FFTH modem depending on the kind of connectivity to the ISP you have) and also have the login information, can speak PPPoE or whatever protocol is required for the ISP etc.



          So your current idea of setting up Raspi as the network gateway is likely the easiest to implement way. But, as Josef noted in a comment: it should be setup in a way that users simply cannot bypass the IDS just by changing the gateway. This would be best achieved by having the router/modem physically behind the Raspi so that no internal system could be directly reach it and thus the only way for any internal system to the router/modem and then to the internet is through the Raspi.






          share|improve this answer


























          • Could you include in the answer the performance impact of putting the Pi as a gateway VS passive monitoring? I don't know how much throughput a Pi can handle but with a 100Mbps-1Gbps fiber connection for instance, I suspect it would be a serious bottleneck.

            – zakinster
            Jan 14 at 10:08













          • I think I would go with the Pi between router and internal network because it requires minimum configuration. Since I'm having bit of a performance problem running IDS in pi. Thank you for your clarification.

            – Vidura supun
            Jan 14 at 10:15











          • @zakinster: Please don't ask a new question (performance impact of active vs. passive) as a comment but ask a new question instead. In general: the performance impact of active mode depends on the model of Raspi, the specific configuration of snort like the depth of inspection and the amount of rules and the amount of traffic in the network. Passive mode never has a performance impact since the original traffic does not pass through the Raspi but it just gets duplicated there. Of course, Raspi might just loose traffic for analysis in this case.

            – Steffen Ullrich
            Jan 14 at 10:38








          • 1





            @Josef: good point. I've integrated this into the answer.

            – Steffen Ullrich
            Jan 14 at 13:08











          • Snort has the ability to terminate connections by sending a forged RST packet to both ends. This shouldn’t require routing all traffic through the pi. I believe it could be monitored on a passive mirrored port, and the resets sent through a second adapter to an active port.

            – John Deters
            Jan 14 at 13:24



















          -1














          Just connect your Raspberry Pi with an ethernet cable to your home router and get it to monitor local network traffic. Should work similar to the Snort NIDS, listening in on all local traffic in promiscuous mode.



          How to set up mirror ports on various open source consumer router firmware






          share|improve this answer





















          • 4





            "and get it to monitor local network traffic" that's not a trivial task and is the part that needs a lot more explaining. Also, you do not explain how to drop packets. Can you expand this answer?

            – schroeder
            Jan 14 at 9:22











          • I updated my question to usage of Pi as IDS/IPS, even though I stated packet dropping later. Promiscuous mode is a viable solution for only an IDS as it inspects a copy of traffic but i think this will solve the bottleneck problem stated above

            – Vidura supun
            Jan 14 at 10:26











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "162"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201417%2fhow-to-connect-a-raspberry-pi-ids-to-the-home-router-to-detect-intrusions-networ%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          4














          If you want to passively monitor the whole network a monitor port on the router or similar would be sufficient - although most common home routers (the ones with WLAN and cable/DSL modem in it) don't have anything like this.



          If you want to monitor data and also actively block traffic the IDS has to be in the path of the traffic. This means it either needs to be setup as the gateway for all systems in the internal network and then forward the traffic to the router, or the router remains the gateway but the IDS is between the router and the ISP. In the latter case the Raspi needs to care about the ISP connectivity too, i.e. it needs to have the physical ability (which might require a DSL, cable or FFTH modem depending on the kind of connectivity to the ISP you have) and also have the login information, can speak PPPoE or whatever protocol is required for the ISP etc.



          So your current idea of setting up Raspi as the network gateway is likely the easiest to implement way. But, as Josef noted in a comment: it should be setup in a way that users simply cannot bypass the IDS just by changing the gateway. This would be best achieved by having the router/modem physically behind the Raspi so that no internal system could be directly reach it and thus the only way for any internal system to the router/modem and then to the internet is through the Raspi.






          share|improve this answer


























          • Could you include in the answer the performance impact of putting the Pi as a gateway VS passive monitoring? I don't know how much throughput a Pi can handle but with a 100Mbps-1Gbps fiber connection for instance, I suspect it would be a serious bottleneck.

            – zakinster
            Jan 14 at 10:08













          • I think I would go with the Pi between router and internal network because it requires minimum configuration. Since I'm having bit of a performance problem running IDS in pi. Thank you for your clarification.

            – Vidura supun
            Jan 14 at 10:15











          • @zakinster: Please don't ask a new question (performance impact of active vs. passive) as a comment but ask a new question instead. In general: the performance impact of active mode depends on the model of Raspi, the specific configuration of snort like the depth of inspection and the amount of rules and the amount of traffic in the network. Passive mode never has a performance impact since the original traffic does not pass through the Raspi but it just gets duplicated there. Of course, Raspi might just loose traffic for analysis in this case.

            – Steffen Ullrich
            Jan 14 at 10:38








          • 1





            @Josef: good point. I've integrated this into the answer.

            – Steffen Ullrich
            Jan 14 at 13:08











          • Snort has the ability to terminate connections by sending a forged RST packet to both ends. This shouldn’t require routing all traffic through the pi. I believe it could be monitored on a passive mirrored port, and the resets sent through a second adapter to an active port.

            – John Deters
            Jan 14 at 13:24
















          4














          If you want to passively monitor the whole network a monitor port on the router or similar would be sufficient - although most common home routers (the ones with WLAN and cable/DSL modem in it) don't have anything like this.



          If you want to monitor data and also actively block traffic the IDS has to be in the path of the traffic. This means it either needs to be setup as the gateway for all systems in the internal network and then forward the traffic to the router, or the router remains the gateway but the IDS is between the router and the ISP. In the latter case the Raspi needs to care about the ISP connectivity too, i.e. it needs to have the physical ability (which might require a DSL, cable or FFTH modem depending on the kind of connectivity to the ISP you have) and also have the login information, can speak PPPoE or whatever protocol is required for the ISP etc.



          So your current idea of setting up Raspi as the network gateway is likely the easiest to implement way. But, as Josef noted in a comment: it should be setup in a way that users simply cannot bypass the IDS just by changing the gateway. This would be best achieved by having the router/modem physically behind the Raspi so that no internal system could be directly reach it and thus the only way for any internal system to the router/modem and then to the internet is through the Raspi.






          share|improve this answer


























          • Could you include in the answer the performance impact of putting the Pi as a gateway VS passive monitoring? I don't know how much throughput a Pi can handle but with a 100Mbps-1Gbps fiber connection for instance, I suspect it would be a serious bottleneck.

            – zakinster
            Jan 14 at 10:08













          • I think I would go with the Pi between router and internal network because it requires minimum configuration. Since I'm having bit of a performance problem running IDS in pi. Thank you for your clarification.

            – Vidura supun
            Jan 14 at 10:15











          • @zakinster: Please don't ask a new question (performance impact of active vs. passive) as a comment but ask a new question instead. In general: the performance impact of active mode depends on the model of Raspi, the specific configuration of snort like the depth of inspection and the amount of rules and the amount of traffic in the network. Passive mode never has a performance impact since the original traffic does not pass through the Raspi but it just gets duplicated there. Of course, Raspi might just loose traffic for analysis in this case.

            – Steffen Ullrich
            Jan 14 at 10:38








          • 1





            @Josef: good point. I've integrated this into the answer.

            – Steffen Ullrich
            Jan 14 at 13:08











          • Snort has the ability to terminate connections by sending a forged RST packet to both ends. This shouldn’t require routing all traffic through the pi. I believe it could be monitored on a passive mirrored port, and the resets sent through a second adapter to an active port.

            – John Deters
            Jan 14 at 13:24














          4












          4








          4







          If you want to passively monitor the whole network a monitor port on the router or similar would be sufficient - although most common home routers (the ones with WLAN and cable/DSL modem in it) don't have anything like this.



          If you want to monitor data and also actively block traffic the IDS has to be in the path of the traffic. This means it either needs to be setup as the gateway for all systems in the internal network and then forward the traffic to the router, or the router remains the gateway but the IDS is between the router and the ISP. In the latter case the Raspi needs to care about the ISP connectivity too, i.e. it needs to have the physical ability (which might require a DSL, cable or FFTH modem depending on the kind of connectivity to the ISP you have) and also have the login information, can speak PPPoE or whatever protocol is required for the ISP etc.



          So your current idea of setting up Raspi as the network gateway is likely the easiest to implement way. But, as Josef noted in a comment: it should be setup in a way that users simply cannot bypass the IDS just by changing the gateway. This would be best achieved by having the router/modem physically behind the Raspi so that no internal system could be directly reach it and thus the only way for any internal system to the router/modem and then to the internet is through the Raspi.






          share|improve this answer















          If you want to passively monitor the whole network a monitor port on the router or similar would be sufficient - although most common home routers (the ones with WLAN and cable/DSL modem in it) don't have anything like this.



          If you want to monitor data and also actively block traffic the IDS has to be in the path of the traffic. This means it either needs to be setup as the gateway for all systems in the internal network and then forward the traffic to the router, or the router remains the gateway but the IDS is between the router and the ISP. In the latter case the Raspi needs to care about the ISP connectivity too, i.e. it needs to have the physical ability (which might require a DSL, cable or FFTH modem depending on the kind of connectivity to the ISP you have) and also have the login information, can speak PPPoE or whatever protocol is required for the ISP etc.



          So your current idea of setting up Raspi as the network gateway is likely the easiest to implement way. But, as Josef noted in a comment: it should be setup in a way that users simply cannot bypass the IDS just by changing the gateway. This would be best achieved by having the router/modem physically behind the Raspi so that no internal system could be directly reach it and thus the only way for any internal system to the router/modem and then to the internet is through the Raspi.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 14 at 13:07

























          answered Jan 14 at 7:44









          Steffen UllrichSteffen Ullrich

          115k13199264




          115k13199264













          • Could you include in the answer the performance impact of putting the Pi as a gateway VS passive monitoring? I don't know how much throughput a Pi can handle but with a 100Mbps-1Gbps fiber connection for instance, I suspect it would be a serious bottleneck.

            – zakinster
            Jan 14 at 10:08













          • I think I would go with the Pi between router and internal network because it requires minimum configuration. Since I'm having bit of a performance problem running IDS in pi. Thank you for your clarification.

            – Vidura supun
            Jan 14 at 10:15











          • @zakinster: Please don't ask a new question (performance impact of active vs. passive) as a comment but ask a new question instead. In general: the performance impact of active mode depends on the model of Raspi, the specific configuration of snort like the depth of inspection and the amount of rules and the amount of traffic in the network. Passive mode never has a performance impact since the original traffic does not pass through the Raspi but it just gets duplicated there. Of course, Raspi might just loose traffic for analysis in this case.

            – Steffen Ullrich
            Jan 14 at 10:38








          • 1





            @Josef: good point. I've integrated this into the answer.

            – Steffen Ullrich
            Jan 14 at 13:08











          • Snort has the ability to terminate connections by sending a forged RST packet to both ends. This shouldn’t require routing all traffic through the pi. I believe it could be monitored on a passive mirrored port, and the resets sent through a second adapter to an active port.

            – John Deters
            Jan 14 at 13:24



















          • Could you include in the answer the performance impact of putting the Pi as a gateway VS passive monitoring? I don't know how much throughput a Pi can handle but with a 100Mbps-1Gbps fiber connection for instance, I suspect it would be a serious bottleneck.

            – zakinster
            Jan 14 at 10:08













          • I think I would go with the Pi between router and internal network because it requires minimum configuration. Since I'm having bit of a performance problem running IDS in pi. Thank you for your clarification.

            – Vidura supun
            Jan 14 at 10:15











          • @zakinster: Please don't ask a new question (performance impact of active vs. passive) as a comment but ask a new question instead. In general: the performance impact of active mode depends on the model of Raspi, the specific configuration of snort like the depth of inspection and the amount of rules and the amount of traffic in the network. Passive mode never has a performance impact since the original traffic does not pass through the Raspi but it just gets duplicated there. Of course, Raspi might just loose traffic for analysis in this case.

            – Steffen Ullrich
            Jan 14 at 10:38








          • 1





            @Josef: good point. I've integrated this into the answer.

            – Steffen Ullrich
            Jan 14 at 13:08











          • Snort has the ability to terminate connections by sending a forged RST packet to both ends. This shouldn’t require routing all traffic through the pi. I believe it could be monitored on a passive mirrored port, and the resets sent through a second adapter to an active port.

            – John Deters
            Jan 14 at 13:24

















          Could you include in the answer the performance impact of putting the Pi as a gateway VS passive monitoring? I don't know how much throughput a Pi can handle but with a 100Mbps-1Gbps fiber connection for instance, I suspect it would be a serious bottleneck.

          – zakinster
          Jan 14 at 10:08







          Could you include in the answer the performance impact of putting the Pi as a gateway VS passive monitoring? I don't know how much throughput a Pi can handle but with a 100Mbps-1Gbps fiber connection for instance, I suspect it would be a serious bottleneck.

          – zakinster
          Jan 14 at 10:08















          I think I would go with the Pi between router and internal network because it requires minimum configuration. Since I'm having bit of a performance problem running IDS in pi. Thank you for your clarification.

          – Vidura supun
          Jan 14 at 10:15





          I think I would go with the Pi between router and internal network because it requires minimum configuration. Since I'm having bit of a performance problem running IDS in pi. Thank you for your clarification.

          – Vidura supun
          Jan 14 at 10:15













          @zakinster: Please don't ask a new question (performance impact of active vs. passive) as a comment but ask a new question instead. In general: the performance impact of active mode depends on the model of Raspi, the specific configuration of snort like the depth of inspection and the amount of rules and the amount of traffic in the network. Passive mode never has a performance impact since the original traffic does not pass through the Raspi but it just gets duplicated there. Of course, Raspi might just loose traffic for analysis in this case.

          – Steffen Ullrich
          Jan 14 at 10:38







          @zakinster: Please don't ask a new question (performance impact of active vs. passive) as a comment but ask a new question instead. In general: the performance impact of active mode depends on the model of Raspi, the specific configuration of snort like the depth of inspection and the amount of rules and the amount of traffic in the network. Passive mode never has a performance impact since the original traffic does not pass through the Raspi but it just gets duplicated there. Of course, Raspi might just loose traffic for analysis in this case.

          – Steffen Ullrich
          Jan 14 at 10:38






          1




          1





          @Josef: good point. I've integrated this into the answer.

          – Steffen Ullrich
          Jan 14 at 13:08





          @Josef: good point. I've integrated this into the answer.

          – Steffen Ullrich
          Jan 14 at 13:08













          Snort has the ability to terminate connections by sending a forged RST packet to both ends. This shouldn’t require routing all traffic through the pi. I believe it could be monitored on a passive mirrored port, and the resets sent through a second adapter to an active port.

          – John Deters
          Jan 14 at 13:24





          Snort has the ability to terminate connections by sending a forged RST packet to both ends. This shouldn’t require routing all traffic through the pi. I believe it could be monitored on a passive mirrored port, and the resets sent through a second adapter to an active port.

          – John Deters
          Jan 14 at 13:24













          -1














          Just connect your Raspberry Pi with an ethernet cable to your home router and get it to monitor local network traffic. Should work similar to the Snort NIDS, listening in on all local traffic in promiscuous mode.



          How to set up mirror ports on various open source consumer router firmware






          share|improve this answer





















          • 4





            "and get it to monitor local network traffic" that's not a trivial task and is the part that needs a lot more explaining. Also, you do not explain how to drop packets. Can you expand this answer?

            – schroeder
            Jan 14 at 9:22











          • I updated my question to usage of Pi as IDS/IPS, even though I stated packet dropping later. Promiscuous mode is a viable solution for only an IDS as it inspects a copy of traffic but i think this will solve the bottleneck problem stated above

            – Vidura supun
            Jan 14 at 10:26
















          -1














          Just connect your Raspberry Pi with an ethernet cable to your home router and get it to monitor local network traffic. Should work similar to the Snort NIDS, listening in on all local traffic in promiscuous mode.



          How to set up mirror ports on various open source consumer router firmware






          share|improve this answer





















          • 4





            "and get it to monitor local network traffic" that's not a trivial task and is the part that needs a lot more explaining. Also, you do not explain how to drop packets. Can you expand this answer?

            – schroeder
            Jan 14 at 9:22











          • I updated my question to usage of Pi as IDS/IPS, even though I stated packet dropping later. Promiscuous mode is a viable solution for only an IDS as it inspects a copy of traffic but i think this will solve the bottleneck problem stated above

            – Vidura supun
            Jan 14 at 10:26














          -1












          -1








          -1







          Just connect your Raspberry Pi with an ethernet cable to your home router and get it to monitor local network traffic. Should work similar to the Snort NIDS, listening in on all local traffic in promiscuous mode.



          How to set up mirror ports on various open source consumer router firmware






          share|improve this answer















          Just connect your Raspberry Pi with an ethernet cable to your home router and get it to monitor local network traffic. Should work similar to the Snort NIDS, listening in on all local traffic in promiscuous mode.



          How to set up mirror ports on various open source consumer router firmware







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 14 at 10:36









          schroeder

          73.6k29160195




          73.6k29160195










          answered Jan 14 at 8:56









          Hild ForseteHild Forsete

          11




          11








          • 4





            "and get it to monitor local network traffic" that's not a trivial task and is the part that needs a lot more explaining. Also, you do not explain how to drop packets. Can you expand this answer?

            – schroeder
            Jan 14 at 9:22











          • I updated my question to usage of Pi as IDS/IPS, even though I stated packet dropping later. Promiscuous mode is a viable solution for only an IDS as it inspects a copy of traffic but i think this will solve the bottleneck problem stated above

            – Vidura supun
            Jan 14 at 10:26














          • 4





            "and get it to monitor local network traffic" that's not a trivial task and is the part that needs a lot more explaining. Also, you do not explain how to drop packets. Can you expand this answer?

            – schroeder
            Jan 14 at 9:22











          • I updated my question to usage of Pi as IDS/IPS, even though I stated packet dropping later. Promiscuous mode is a viable solution for only an IDS as it inspects a copy of traffic but i think this will solve the bottleneck problem stated above

            – Vidura supun
            Jan 14 at 10:26








          4




          4





          "and get it to monitor local network traffic" that's not a trivial task and is the part that needs a lot more explaining. Also, you do not explain how to drop packets. Can you expand this answer?

          – schroeder
          Jan 14 at 9:22





          "and get it to monitor local network traffic" that's not a trivial task and is the part that needs a lot more explaining. Also, you do not explain how to drop packets. Can you expand this answer?

          – schroeder
          Jan 14 at 9:22













          I updated my question to usage of Pi as IDS/IPS, even though I stated packet dropping later. Promiscuous mode is a viable solution for only an IDS as it inspects a copy of traffic but i think this will solve the bottleneck problem stated above

          – Vidura supun
          Jan 14 at 10:26





          I updated my question to usage of Pi as IDS/IPS, even though I stated packet dropping later. Promiscuous mode is a viable solution for only an IDS as it inspects a copy of traffic but i think this will solve the bottleneck problem stated above

          – Vidura supun
          Jan 14 at 10:26


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Information Security Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201417%2fhow-to-connect-a-raspberry-pi-ids-to-the-home-router-to-detect-intrusions-networ%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to change which sound is reproduced for terminal bell?

          Can I use Tabulator js library in my java Spring + Thymeleaf project?

          Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents