Thursday, July 9, 2015

Port Mirroring on Juniper EX Series Switches

To setup port mirroring on the Juniper EX series switches, you should follow the guidelines here:

http://www.juniper.net/techpubs/en_US/junos13.2/topics/task/configuration/port-mirroring-cli.html

However, I'll TL;DR that for you here...

First, you need to setup your analyzer (the port mirror):

Set the analyzer up, "employee_monitor" is just the name of the analyzer...from there, input the port your trying to mirror, and make sure you get the packets coming in (ingress), going out (egress), or both (see below).

 set ethernet-switching-options analyzer employee_monitor input ingress interface ge-0/0/47.0
set ethernet-switching-options analyzer employee_monitor input egress interface ge-0/0/47.0

 Also, tell it what port you're pushing the traffic to (output).

set ethernet-switching-options analyzer employee_monitor output interface ge-0/0/46.0

 Next, you set the firewall up to tell the packets to go to the analyzer. This is REQUIRED for the port mirror to work properly. 

 set firewall family ethernet-switching filter employee_monitor term to-analyzer from interface ge-0/0/47.0
set firewall family ethernet-switching filter employee_monitor term to-analyzer then accept
set firewall family ethernet-switching filter employee_monitor term to-analyzer then analyzer employee_monitor
After that, you need to tell the port that it is an analyzer port now...
 
set interfaces ge-0/0/46 unit 0 family ethernet-switching filter input employee_monitor

That's it. Now you can setup something like Security Onion to monitor all your traffic! 

Aaron
Posted by at No comments:

Wednesday, July 8, 2015

Quick Tip: RegEx strings - changing "/" to "\" with re.sub() in Python

So, here's a quick tip on using Python and Regular Expressions to change a slash ("/") to a backslash ("\").

Here's the code, and I'll explain it afterwards:

>>> re.sub("/", '\\\\', "fooas/dsadsf")
'fooas\\dsadsf'
>>> print re.sub("/", '\\\\', "fooas/dsadsf")
fooas\dsadsf
>>> print re.sub("/", '\\\\', "fooas/dsa/d/sf")
fooas\dsa\d\sf
>>> print re.sub("/", '\\\\', data)
it\in\it

 Notice that we're using 4x "\"'s to accomplish what we're trying to do. Now, remember this is Python we're dealing with, so the \ is an escape character for other uses, such as \t (tab), \r (carriage return), and \n (new line). 

 With that being said, in Python strings, the representation of the \ character (to print it in the string) is "\\"...that is double backslash. So, when we go to replace one instance of a slash, we have to use 4 backslashes...why? 

 Because the string representation in the RegEx needs to be escaped, and then the replaced string needs to be escaped too...more is less. So, 4x the backslashes looks like this "\\" and "\\" which then becomes "\\" in the replaced expression, which then becomes "\" in the string.

 This concludes your lesson in confusing syntax for the day. Thanks for playing!

-A
Posted by at No comments:
Subscribe to: Posts (Atom)