Skip to content

Instantly share code, notes, and snippets.

@warewolf

warewolf/ifcfg-gremonitor0

Created July 1, 2017 22:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save warewolf/23a2949ca64941f1fe0707749cf2235a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save warewolf/23a2949ca64941f1fe0707749cf2235a to your computer and use it in GitHub Desktop.
Download ZIP
Fedora/Red Hat Open vSwitch malware analysis segment "mirror" tunnel config
Raw
ifcfg-gremonitor0
# set remote_ip below to your cuckoo VM's management IP
# set local_ip below to your VM server's management IP
TYPE="OVSTunnel"
OVS_TUNNEL_TYPE="gre"
OVS_BRIDGE="malwarebr0"
DEVICE="gremonitor0"
OVS_TUNNEL_OPTIONS="options:remote_ip=192.168.2.100 options:local_ip=192.168.2.70"
OVS_EXTRA="\
-- --id=@p get port gremonitor0 \
-- --id=@m create mirror name=m0 select-all=true output-port=@p \
-- set bridge malwarebr0 mirrors=@m"
BOOTPROTO=none
DEVICETYPE="ovs"
ONBOOT="yes"
@warewolf
Copy link
Copy Markdown
Author

warewolf commented Jul 1, 2017
edited
Loading

The above as a plain shell script that does the same:

#!/bin/bash

ovs-vsctl clear bridge malwarebr0 mirrors

ovs-vsctl del-port gremonitor0

ovs-vsctl -- add-port malwarebr0 gremonitor0 \
  -- set interface gremonitor0 type=gre options:remote_ip=192.168.2.100 options:local_ip=192.168.2.70 \
  -- --id=@p get port gremonitor0 \
  -- --id=@m create mirror name=m0 select-all=true output-port=@p \
  -- set bridge malwarebr0 mirrors=@m

@warewolf
Copy link
Copy Markdown
Author

warewolf commented Jul 2, 2017

On the receiving side (the cuckoo sandbox VM) you need to:

ip link add monitor0 type gretap remote 192.168.2.70 local 192.168.2.100 ttl 255 key 1

If you try to use ip tun, or ip link add monitor0 type gre you're gonna have a bad time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment