After attending BSides Chicago 2015 and hearing all the good things about Security Onion, I decided to give Security Onion a try. Now, I’ve got Google Fiber with blazing fast speeds (oh yes), so I did not want to use a 10/100 tap that would limit my network speeds. I did find a Netgear GS108T switch in my computer heaven (that’s where all the computer parts go after I’ve given up on Craigslist offers). So here is my quick run down of how to use a Netgear GS108T as a network tap:
There are 8 ports on this switch. My wiring is as follows:
- Port 2 –> Connects to my router and serves as source port for our mirroring setup.
- Port 3–> Mirrors with above port and servers Security Onion’s monitor interface.
- Port 4 –> Serves all network traffic. Keeps the packets flowing.
With Netgear’s Web GUI interface opened up, navigate to Monitoring > Port Mirroring:
Now select your source port and you will see Source Port box auto-populate. In Destination port, type your destination port. In my set-up, Source Port 1 g2 and Destination Port is g3. After this, turn Session Mode to Enabled and Direction to your choice. I chose Rx and Tx (received and sent packets).
Click Apply to submit changes and you are all set.