Collaboration between Greg Foss, Kjell Hedstrom, Dan Schatz-Miller, Michael Swisher, and Craig Cogdill
LogRhythm NetMon is a powerful forensics tool that allows organizations to capture, analyze, and alert on network data. Traditionally, NetMon is deployed on a blade server within an organization’s data center.
However, there are many situations where a smaller, more tactical device is the optimal solution. NetMon Freemium provides customers with a free and easy way to deploy NetMon on a small and compact system. This is ideal for the home network, branch offices, forensic go-kits, penetration testing drop boxes, and much more.
You might be wondering: how easy it is to deploy NetMon? To demonstrate, we decided to build a miniature device ourselves.
With the release of NetMon version 3 and the Freemium license, the hardware requirements have been scaled back significantly, to allow for installation on a diverse array of systems.
NetMon requirements are as follows:
For this project, we used the QOTOM-Q190G4 — a small, portable, fan-less, micro-PC. This is a Quad Core system that comes with a 2GHz CPU, 8GB RAM, four Ethernet ports, two USB ports, a VGA port, and two Wi-Fi NIC’s. The computer itself is passively cooled as the whole chassis is a heat-sink. This results in a silent solution that manages low temperatures under full load. This is ideal for a home network or small satellite office.
Figure 1: Micro-PC hardware specifications
The next piece of hardware you need is the passive network tap. We used the Throwing Star LAN Tap available from the Hak5 Shop. These small and simple network taps allow for monitoring of small 10BASE-T and up to 100BASE-TX networks. There are many other and more powerful ways to do this, but we chose this route because we are primarily targeting the home network. In the future, we’d like to embed this functionality directly into the device.
Figure 2: Throwing Star LAN Tap
Note that if you use a passive tap, be aware that your maximum bandwidth will not be 1 Gb/s. Most passive taps can only split up to 500Mbps without significant loss of signal.
We tested the hardware mentioned above and it works well, we also analyzed other hardware options. Nearly anything with comparable specs will work, including Intel NUC devices, old laptops, or other hardware you might have at home.
Now that we identified the hardware, we need to get the NetMon image flashed onto the device. This sounds a bit easier than it is, so follow the steps below to ensure a successful installation.
Figure 3: Unetbootin ISO to USB configuration
Once NetMon is successfully installed onto the Micro-PC, the next phase is deployment. This can vary greatly depending on the deployment scenario, so we’ll focus on testing and validation first.
Ensure that the NetMon appliance is plugged into power and then connect the ethernet cables as shown below. ‘LAN1’ is the management interface and ‘LAN4’ is the going to be used to sniff network traffic. Refer to the picture below, which shows a basic configuration designed to sniff traffic from a single computer.
Figure 4: LAN tap configuration
Once again, we’re using a minimum of two ports. One is our “input” from the tap. The other is our “output” to the NetMon user interface (Management Interface).
Once the network interfaces have been configured, power on the NetMon device. Next, browse to the NetMon’s management interface. You will automatically redirect to port 443. From here, follow the on-screen prompts to complete the NetMon configuration.
If all goes well, you will start seeing traffic flow through momentarily.
Figure 6: Test – sniffing traffic on a single system
After testing the configuration to ensure that you’re capturing traffic is being captured, let’s translate this to a real-world scenario by configuring the Miniature NetMon on a home network.
In a home network, you’ll need a Tap, Hub, Smart Switch, or a router that supports port mirroring to capture traffic in-transit. There are countless products out there that will support these options; however, the ideal solution is to either use a Switch or configure Port Mirroring from the router directly, as this will have the least degradation on your home network’s connection speed. For optimal performance, we recommend utilizing Cat6 Ethernet cables to optimize the wired connections.
Figure 7: Example network diagram
While a mini NetMon is perfect for the home network, it can be installed just as easily in satellite office locations and small businesses.
You can also use the Mini NetMon device as a penetration testing dropbox to capture network traffic in your target network.
Figure 8: All up in your network, capturing all the packets
In a penetration-testing scenario, you will ideally want to gain access to the NetMon interface remotely. To spawn a reverse-shell that will communicate with a command and control server and allow remote access to the device, all you need to do is configure a cron job using the Python Reverse Shell by Dave Kennedy, or something similar, and configure this to use port forwarding to view the NetMon web interface. From here, you can configure Deep Packet Inspection (DPI) rules to sniff passwords, take full packet captures, pivot to other systems, and much more.
This is just the beginning. There are many more features that we’d like to add to the Mini NetMon — and that’s where we need your help. We’re looking for ideas from the security community around what their needs are, how NetMon can help solve problems they are facing, and general product improvements. Some of the additional items we brainstormed include:
If you have any suggestions, post them on the LogRhythm Community.
A healthcare identity access provider was looking for a security information and event management (SIEM)…
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…