Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Capturing NID traffic with CISCO

Re: Capturing NID traffic with CISCO

From: charles lindsay <frostbackeng_at_lycos.com>
Date: Tue, 12 Nov 2002 11:44:59 -0500

... And of course there are load-balancing solutions which will re-combine the flows before sending them to the same NIDS port/sensor...

... provided you are tapping/SPANning at the same "virtual point" in the network. If your egress and ingress points differ as regards NAT, or VPN-tunneling, life becomes more challenging.

But that would be a random complication which you have not mentioned.

>> Craig,
>>
>> Which version of NFR are you running? We are a very stateful IDS, so
>> you are correct, that it's important for us to see both sides of the
>> traffic. Our NID-315 and 320 series come with multiple sniffing
>> interfaces, which should allow you to configure SPAN ports from both
>> sides, and pump that data directly into the NID, allowing us to
>> re-assemble that traffic correctly.
>>
>> Attached is a .gif file that diagrams this setup.
>>
>> Of course, if your A and B side are not near eachother, getting the
>> SPAN'ed data to us might be difficult. :)
>>
>> If you have any more questions, let me know.
>>
>> -dave
>>
>>
>> "Craig M. Taylor" wrote:
>> >
>> > Folks,
>> >
>>
>> > I'm wondering if anyone out there has come across detailed
>> > information on > configuring CISCO equipment to capture network
>> > traffic via SPAN ports (or via other > options such asethernet
>> > TAPS).
>>
>> >
>>
>> > My specific problem is that I have traffic coming into an OSPF cloud
>> > on an A-side > and leaving the OSPF cloud on the B-side and this is
>> > confusing my IDS sensors (NFR).
>>
>> >
>> > Any pointers to information links is much appreciated.
>> >
>> > Thank-you,
>> >
>> > Craig
>> >
>> > =====
>> > Craig Taylor -- Infosec, CISSP
>> > *********************************************************
>> > ** "Problems can not be fixed with the same level of **
>> > ** awareness that created them." - Albert Einstein - **
>> > *********************************************************
>>
>> --
>> David W. Goodrum
>> Senior Systems Engineer
>> NFR Security
>> Mobile: 703.731.3765
>> Office: 240.747.3425

__________________________________________________________
Outgrown your current e-mail service? Get 25MB Storage, POP3 Access,
Advanced Spam protection with LYCOS MAIL PLUS.
http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
Received on Nov 12 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos