RE: IDS using Taps & network bridging

From: Benninghoff, John (John.Benninghoff@Rbcdain.com)
Date: 11/26/02

Next message: Bennett Todd: "Re: IDS using Taps & network bridging"

Previous message: Brian Laing: "RE: IDS Informer"
Maybe in reply to: oobs3c02@attbi.com: "IDS using Taps & network bridging"
Next in thread: Bennett Todd: "Re: IDS using Taps & network bridging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 26 Nov 2002 14:36:56 -0600
From: "Benninghoff, John" <John.Benninghoff@Rbcdain.com>
To: <oobs3c02@attbi.com>, <focus-ids@securityfocus.com>

I think perhaps you want to sniff the external interface (eth1 or eth2) instead ?

Also, I agree with others that Linux isn't necessarily the best platform for doing this sort of thing. OpenBSD would work quite well.

I notice you didn't specifically mention inline snort ... have you looked at this ?
(http://www.snort.org/dl/contrib/patches/inline/)

-----Original Message-----
From: oobs3c02@attbi.com [mailto:oobs3c02@attbi.com]
Sent: Sunday, November 17, 2002 1:16 PM
To: focus-ids@securityfocus.com
Subject: IDS using Taps & network bridging

Hi,

I'm doing some testing to see how Taps could be implimented in my environment.
I've read some information from Snort.org and other sources showing the use of
taps in conjunction with a switch. I would like to eliminate the switch for
the aggregation and I'm looking for ideas on how to do that. The IDS platform
is snort running on Intel with Linux 2.4 Kernel. Ideas I've had so far are:

1. Hub - full duplex issues - scrapped that idea!
2. Bridged network cards - sniffing the bridged interface has been
problematic. It works but there seems to be an ARP DoS - any ideas on this
would be great!
3. Multi port NIC that has software to aggregate. The only solution I've found
for this only has drivers for Windows.

I'm open to any suggestions but I'm really interested in the network bridging.
What I've done so far is:
-Install 3 NICs in my box
-Bridged eth1 & eth2 to br0
-started up the bridge
-sniffed br0

I see mostly massive amounts of ARP traffic - any help on this would be
appreciated.

Regards,

Jim

"Life's tough - but it's a whole lot tougher when your stupid!"

Next message: Bennett Todd: "Re: IDS using Taps & network bridging"
Previous message: Brian Laing: "RE: IDS Informer"
Maybe in reply to: oobs3c02@attbi.com: "IDS using Taps & network bridging"
Next in thread: Bennett Todd: "Re: IDS using Taps & network bridging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Mini-FAQ: Antivirus-Software fuer Linux (v1.12, 11.10.2002)
... F-Secure Antivirus for Linux ... Platform: Linux, Solaris ... Download: http://www.f-secure.com/download-purchase/ ... Developer: Kaspersky Lab, Russia ...
(de.comp.os.unix.linux.infos)
Mini-FAQ: Antivirus-Software fuer Linux (v1.12, 11.10.2002)
... F-Secure Antivirus for Linux ... Platform: Linux, Solaris ... Download: http://www.f-secure.com/download-purchase/ ... Developer: Kaspersky Lab, Russia ...
(de.comp.os.unix.linux.infos)
Mini-FAQ: Antivirus-Software fuer Linux (v1.12, 11.10.2002)
... F-Secure Antivirus for Linux ... Platform: Linux, Solaris ... Download: http://www.f-secure.com/download-purchase/ ... Developer: Kaspersky Lab, Russia ...
(de.comp.os.unix.linux.infos)
Mini-FAQ: Antivirus-Software fuer Linux (v1.12, 11.10.2002)
... F-Secure Antivirus for Linux ... Platform: Linux, Solaris ... Download: http://www.f-secure.com/download-purchase/ ... Developer: Kaspersky Lab, Russia ...
(de.comp.os.unix.linux.infos)
Mini-FAQ: Antivirus-Software fuer Linux (v1.12, 11.10.2002)
... F-Secure Antivirus for Linux ... Platform: Linux, Solaris ... Download: http://www.f-secure.com/download-purchase/ ... Developer: Kaspersky Lab, Russia ...
(de.comp.os.unix.linux.infos)