VirtualBox and Networking with Squid and Snort

Coming from the Windows side of the house in networking, putting together a physical network with some logical design wasn’t that difficult. With the release of Ghidra, I wanted to get some time with it by doing some challenges from Root-Me and HTB.

It might be easy to distrust the NSA tool and go completely airgapped. In fact I might recommend it for most untrustworthy software. Although it seems quite a few people with more knowledge than I have, have used the tool.

This post isn’t about Ghidra, it’s about the setting up the networking side of the house within VirtualBox to create a span port for Snort and setting up a Squid proxy to create the virtual networking that I would want to put in place for something that is essentially: trust but verify.

All of this information is on the web. Additionally I’m certain there are tonnes of configuration changes and recommendations that I have not yet discovered or researched. This is just a documentation of my steps.

Basic setup:

Squid VM:
OS: Ubuntu Server 18.04.2 TLS
Network Adapter 1: Internal Network
Network Adapter 2: Bridged Adapter

Snort VM:
OS: Ubuntu Desktop 18.04.2 TLS
Network Adapter 1: Internal Network

Ghidra VM:
OS: Ubuntu Desktop 18.04.2 TLS
Network Adapter 1: Internal Network

All of the VMs received 1 GB of RAM and 20 GB dynamic disk space.

Setting up Squid:

General good practice to update before installing:

sudo apt update
sudo apt upgrade

Install squid:

sudo apt install squid

Make a copy of the original configuration file before making changes:

sudo cp //etc/squid/squid.conf //etc/squid/squid.conf.original

Make the changes for your environment:

sudo nano //etc/squid/squid.conf

ctrl-w is your friend here, if using nano.
I specifically wanted to use a subnet that would be unique from my other networks within VirtualBox and my LAN.
First up is setting a access control list entry for that subnet:

acl localnet src 10.100.200.0/24

The next step is where I learned that you will get a proxy access denied message, testing with curl, if you don’t grant access from the network you specified in the ACL entry:

Getting denied since I didn’t allow localnet

http_access allow localnet

It works!

Lastly, I set the http_port to something other than the default:

http_port 8888

So from there I went about configuring proxy settings for my VM:

http_proxy=http://10.100.200.3:8888
https_proxy=http://10.100.200.3:8888
export http_proxy
export https_proxy

At this point I had a proxy setup and working, verified by using curl. The next thing I attempted was doing an apt update. This caused errors as apt couldn’t lookup/resolve the names of the hosts. I initially thought I would have to sudo to root and do the same proxy settings. I took a trip on google before doing that.

https://askubuntu.com/questions/7470/how-to-run-sudo-apt-get-update-through-proxy-in-commandline

Quite simply:

sudo su
visudo

enter a line after “Defaults env_reset”
Defaults env_keep = “http_proxy https_proxy”
ctrl x, y (yes) to save.
Exit the elevated command line.

Give it another go with sudo apt update.

At this point in my journey, I have a proxy setup with a VM using that proxy for updates, web browsing (set in Firefox) and from the command line.

SUCCESS!

Now how about that Snort.

sudo apt update
sudo apt upgrade
sudo apt install snort

During the installation of snort, a few questions are asked about the network interface it will be installed on. I’m not even going to pretend I know all what snort can do or how it works. I need to take that road as of yet but I wanted to get things setup to explore that in the future. When using ubuntu, the network interface was set to enp0s3, use ip addr to get your settings if you are not sure.

Then run snort with the following command:

sudo snort -A console -q -c //etc/snort/snort.conf -i enp0s3

It was at this point that I started getting frustrated with VirtualBox networking.
Things I tried that didn’t result in getting me a separated network and a span port like connection:
Setting up a host network using the Host Network Manager.
Setting up all VMs to be connected to the bridged network, span worked but I didn’t want all those VMs with access to the host network.
Setting the VMs to internal network.

Google and reading lead me to something I had done a while ago on another VirtualBox installation, create a new Internal Network and set a VirtualBox dhcp server to it.

I’m sure there is a command line way to setup a new Internal Network, I didn’t see it but I know you can just type a name into the VM settings Internal Network Name box.

This makes is available in all the other machines as well. To setup the dhcp server for that internal network, we take to the command line:

vboxmanage dhcpserver add --netname Internal0 --ip 10.100.200.1 --netmask 255.255.255.0 --lowerip 10.100.200.2 --upperip 10.100.200.254 --enable

Setting the Internal Network advanced settings, Promiscuous Mode to: Allow All on the snort VM allowed me to see the ping requests going to/from the Ghidra VM and Squid VM.

I did have to turn off and on the network connection from within the VMs to get the network interface to get a IP address, strange but it worked.

This is what I set out to do.
SUCCESS!

Thank you for reading, hopefully you’ve learned something. Twitter: @grnbeltwarrior Github: https://github.com/grnbeltwarrior