Here’s how to create an isolated lab for replaying malicious PCAP through an IPS or inline device. In this use case, I have a Palo Alto VM 300 trial in EC2. Host A is on the trusted zone interface. Host B is on the untrusted zone interface.
Host 172.16.10.66 is running Debian 9. It’s MAC address for eth0 is 00:50:56:91:13:cd
This is considered the Inside host where we will replay malicious PCAP and safely direct it through the router to the Outside (Fake Internet) host.
Install prerequisite packages
apt-get install arptables tcpdump
Install tcpreplay 4.3.1 https://tcpreplay.appneta.com/wiki/installation.html
Host 172.16.20.100 is running Debian 9. It’s MAC address for eth0 is 00:50:56:91:80:dd
This is considered the Outside host acting as the fake internet.
Inetsim runs fake services like DNS, HTTP. Install Inetsim on the Outside host: https://www.inetsim.org/packages.html
The box between the two hosts is a PANOS VM300.
HostA-172.16.88.50 is connected to Ethernet1/1 which has an IP address of 172.16.88.1 and a MAC address of 00:50:56:91:05:95
HostB-172.16.99.50 is connected to Ethernet1/2 which has an IP address of 172.16.99.1 and a MAC address of 00:50:56:91:23:e2
- Gather some malicious PCAP samples. There are several here: https://www.netresec.com/?page=PcapFiles
- Run the isolation_inside.sh script on the Inside host.
- Run the isolation_outside.sh script on the Outside host.
- Change to a directory on the Inside host with a malicious PCAP sample. Rename the sample test.pcap.
- Run the replay.sh script on the Inside host.
- View activity on the Outside host with ‘tcpdump -nnAi eth0 net 172.16.0.0/16’
- Observe Snort alerts on the router via ‘show utd engine standard logging events’
The isolation script works as follows:
Kill dhcp services
Set the IP for eth0 to match our environment
ifconfig eth0 172.16.88.50 netmask 255.255.255.0
Add a default gateway of the IP of the router connected to the subnet of the inside host
route add default gw 172.16.88.1
Set the nameserver to the Outside (Fake Internet) host
echo "nameserver 172.16.99.50" > /etc/resolv.conf
Clear IP tables and create rules to only allow the two hosts over layer 3.
iptables -A INPUT -s 172.16.99.50 -j ACCEPT
iptables -A OUTPUT -d 172.16.99.50 -j ACCEPT
iptables -A INPUT -s 172.16.88.1 -j ACCEPT iptables -A OUTPUT -d 172.16.88.1 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Clear arp tables and only allow the MAC address of the router.
arptables -A INPUT --source-mac 00:50:56:91:05:95 -j ACCEPT
The replay script works as follows:
Cache the pcap file
tcpprep --port --pcap=test.pcap --cachefile=in.cache
Rewrite the source and destination IPs to match our environment.
tcprewrite --cachefile=in.cache --endpoints 172.16.88.50:172.16.99.50 --infile=test.pcap --outfile=out.pcap
Rewrite the source and destination MAC addresses to direct these packets to the router.
tcprewrite --enet-smac=00:50:56:91:13:cd --enet-dmac=00:50:56:91:05:95 --infile=out.pcap --outfile=out2.pcap
Replay the pcap out eth0 at 1Mbps 1 time.
/usr/local/bin/tcpreplay -i eth0 -K --mbps 1 --loop 1 out2.pcap
Loop through directories.
for i in `ls -d -- /*`; do cd $i && /usr/local/bin/tcpreplay -i eth0 -K --mbps 1 --loop 1 out2.pcap && cd ..; done