Sniffing traffic on "Internal Network"

[tomarseneault]

Hi all,

I'm setting up a Security Lab to play with Snort IDS. I want to use the "Internal Network" so no traffic spills out. I plan on having a minimum of three VMs on this net, one to run Snort, one running Kali Linux and One to run Metasploitable (a deliberately vulnerable Linux distro) and I want the Snort VM to be able to view traffic between the other two. I have see notes about having the host monitor traffic from the guests, but only for traffic going thru the host. This would be as is I put a span port on the virtual switch of the Internal Network. All three can ping each other so basic layer 2 and 3 are in place. Is this even possible?

Attached is a simple png file with the layout of the lab.

Tom

[scottgus1]

Should be. Simply attach all three guests to the same internal network. Use the same name for the internal network for each guest. Default is "intnet". See chapter 6 in the manual on Virtualbox's networking types.

[tomarseneault]

You would think. However, when I connect all three VMs to intnet and ping from test1 to test3 and running tcpdump on test2 i do not see the ping traffic (running tcpdump on test1 or 2 I do see the traffic, both sides). I think it acting like a real switch. maintaining a CAM table so that you only see the traffic on the involved interfaces. GNS3 does have a hub in the switches selections so I'm looking at using QEMU for the visualization connecting to the hub. Not as easy or efficient as just putting the whole lab in Vbox but may be my only choice.

Tom

[Martin]

Did you allow the "Promiscous Mode" for the sniffer VM in the advanced settings of the network adapter?