Re: Sniffing split connections
From: Chris Mills (securinate_at_gmail.com)
Date: 04/14/05
- Previous message: rusty chiles: "Re: Sniffing split connections"
- In reply to: rusty chiles: "Re: Sniffing split connections"
- Next in thread: Johann_van_Duyn_at_bat.com: "Re: Sniffing split connections"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Apr 2005 16:25:06 -0400 To: rusty chiles <rustychiles@gmail.com>
That would work if I could have both connections to one sensor. I have
one sensor in each of two buildings, so bonding won't work. Thanks
though...
Chris
On 4/14/05, rusty chiles <rustychiles@gmail.com> wrote:
> You could always use the linux kernels bonding feature.
>
> It will take 2 ethernet interfaces and trunk the traffic flowing
> through them into a virtual interface that you can tell snort to
> listen on.
>
> Example
>
> All traffic from eth1 and eth2 will be combined to a virtual interface
> device called bond0.
>
> To set this up you would do something similar to this:
> #load the bonding kernel module
> modprobe bonding
> #bring up your interfaces that can see the traffic in promiscous mode
> ifconfig eth1 promisc -arp up
> ifconfig eth2 promisc -arp up
> #bring up the bonding interface
> ifconfig bond0 promisc -arp up
> #enslave eth1 and eth2 to the bond0 interface
> ifenslave bond0 eth1
> ifenslave bond0 eth2
>
> Now instead of telling snort to run on eth1 or eth2 etc you will need
> to tell it to run on bond0.
>
> If all works you should see all traffic from eth1 and eth2 on bond0.
>
> Hope this helps.
>
> -Rusty
>
> On 4/11/05, Chris Mills <securinate@gmail.com> wrote:
> > Hi all-
> >
> > Here's the problem I'm having:
> >
> > I have a client site that has two physical connections from its ATM
> > switch that connect to two different providers. The ATM switch uses
> > both connections all the time (not set up as a failover.) The ATM
> > switch at the site will not let me mirror the ports so I can't sniff
> > there... and after the two providers, the connection is too fast for
> > my equipment. I am using Snort 2.3.2 on PowerEdge 1750's. If I place a
> > sniffer at both provider A and provider B, is there a way I can
> > reassemble the traffic so I can see complete sessions? The two
> > providers are on different sides of town.
> >
> > |--------|PROVIDER A|\
> > Client Site| |-----------|INTERNET|
> > |--------|PROVIDER B|/
> >
> > Thanks very much,
> >
> > Chris
> >
> > --------------------------------------------------------------------------
> > Stop hurting your network!
> >
> > The NeVO passive vulnerability sensor continuously finds vulnerabilities,
> > applications and new hosts without the need for network scanning.
> > It also finds compromised systems with application-based intrusion detection.
> > Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> > --------------------------------------------------------------------------
> >
> >
>
--------------------------------------------------------------------------
Stop hurting your network!
The NeVO passive vulnerability sensor continuously finds vulnerabilities,
applications and new hosts without the need for network scanning.
It also finds compromised systems with application-based intrusion detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------
- Previous message: rusty chiles: "Re: Sniffing split connections"
- In reply to: rusty chiles: "Re: Sniffing split connections"
- Next in thread: Johann_van_Duyn_at_bat.com: "Re: Sniffing split connections"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
