RE: Use of Taps for IDS

From: Jackie Chan (blue0ne@bello.digitz.org)
Date: 03/13/02

• Previous message: Joshua Krage: "Re: Use of Taps for IDS"
• In reply to: Hector Herrera: "RE: Use of Taps for IDS"
• Next in thread: Bob Walder: "RE: Use of Taps for IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 12 Mar 2002 21:38:52 -0500 (EST)
From: Jackie Chan <blue0ne@bello.digitz.org>
To: Hector Herrera <hectorh@pobox.com>

The IDS/TAP config can be improperly set up , just like any other system.
But if you follow the instructions in the following paper (written circa
1999) you will not get anything near what you are describing.

http://www.digitz.org/IDS/Shomiti.pdf

-blue0ne

On Tue, 12 Mar 2002, Hector Herrera wrote:

> At 10:45 AM 12/03/02 +0000, Bob Walder wrote:
> >Can I just throw in another little "gotcha" here too? It's not really about
> >taps, but port mirroring, so I guess it's sorta on topic...
> >
> >Imagine you have your 100/1000Mbit switch mirroring ports 1-10 to port 11,
> >where your IDS is. So far so good, and any attack traffic coming on to the
> >switch from elsewhere, targeted at the mirrored ports, will be picked up by
> >the IDS.
> >
> >But what happens when port 1 launches some sort of attack against port 2?
> >The infamous "disgruntled employee" strikes again.
> >
> >Now we see TWO alerts for every attack - one coming FROM port one and one
> >coming TO port 2. A simple Sniffer trace on port 11 of a Ping from port 1 to
> >port 2 reveals:
> >
> >ICMP echo request from 1 to 2 (as seen mirrored from port 1)
> >ICMP echo request from 1 to 2 (as seen mirrored from port 2)
> >ICMP echo reply from 2 to 1 (as seen mirrored from port 2)
> >ICMP echo reply from 2 to 1 (as seen mirrored from port 1)
> >
> >Two distinct streams, since a SPAN port does not "normalise" traffic from a
> >single session (are there switches that can do this?). What to do with these
> >duplicate requests?
>
> I use a cisco 2912-XL with port-mirroring for
> my snort logger, and I have not seen the behaviour
> that you describe.
>
> I believe that is because the switch that I have
> copies the packet from the switching fabric, not
> from the input/output queues.
>
>
>

---

• Previous message: Joshua Krage: "Re: Use of Taps for IDS"
• In reply to: Hector Herrera: "RE: Use of Taps for IDS"
• Next in thread: Bob Walder: "RE: Use of Taps for IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: sniffing packets on a switch ... Port spanning is not recommended for use with an IDS. ... Some switch providers, such as cisco, have been offering ... So i'm pretty against sniffing up a network, administrator or no ... (Security-Basics) RE: TAP location ... > IDS might get you in trouble. ... that you should own the switch, and enforce the rules of configuring the ... going between the direct NIC and the Switch port. ... >>Utilising DNS port as a back channel: I use a forwarder for my internet ... (Focus-IDS) Re: Cat 2924 ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ... (comp.dcom.sys.cisco) RE: Network not accessible!!? ... So I would say you have some sort of port mirroring on the ... on the switch lately. ... the internet on either one of the two other PC's (named ... (microsoft.public.windowsxp.network_web) Re: Cat 2924 ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ... (comp.dcom.sys.cisco)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)