Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Sniffing split connections

Re: Sniffing split connections

From: Barrett G.Lyon <blyon_at_prolexic.com>
Date: Wed, 20 Apr 2005 00:17:48 -0400

Another option: FreeBSD supports interface bridging, you could have
two interfaces on a single FreeBSD machine and bridge them both
together to have a unified place to sniff from.

-Barrett

On Apr 13, 2005, at 2:45 PM, Geff Ambrose wrote:

> Chris
> A question for you, the handoff from the ATM switch is it Ethernet or
> ATM? If it is Ethernet you should check out a company called Top
> Layer networks, they have a product called the IDS Balancer that plays
> well in asymmetric environments and will reassemble the traffic flows
> for you. your snort boxes will see both sides of the traffic and you
> can then load balance to a bunch of sensors
>
> www.toplayer.com
>
> Geff
>
>
> -----Original Message-----
> From: Chris Mills [mailto:securinate_at_gmail.com]
> Sent: Monday, April 11, 2005 12:37 PM
> To: focus-ids_at_securityfocus.com
> Subject: Sniffing split connections
>
>
> Hi all-
>
> Here's the problem I'm having:
>
> I have a client site that has two physical connections from its ATM
> switch that connect to two different providers. The ATM switch uses
> both connections all the time (not set up as a failover.) The ATM
> switch at the site will not let me mirror the ports so I can't sniff
> there... and after the two providers, the connection is too fast for
> my equipment. I am using Snort 2.3.2 on PowerEdge 1750's. If I place a
> sniffer at both provider A and provider B, is there a way I can
> reassemble the traffic so I can see complete sessions? The two
> providers are on different sides of town.
>
> |--------|PROVIDER A|\
> Client Site| |-----------|INTERNET|
> |--------|PROVIDER B|/
>
> Thanks very much,
>
> Chris
>
> -----------------------------------------------------------------------
> ---
> Stop hurting your network!
>
> The NeVO passive vulnerability sensor continuously finds
> vulnerabilities,
> applications and new hosts without the need for network scanning.
> It also finds compromised systems with application-based intrusion
> detection.
> Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> -----------------------------------------------------------------------
> ---
>
>
> -----------------------------------------------------------------------
> ---
> Stop hurting your network!
>
> The NeVO passive vulnerability sensor continuously finds
> vulnerabilities,
> applications and new hosts without the need for network scanning.
> It also finds compromised systems with application-based intrusion
> detection.
> Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> -----------------------------------------------------------------------
> ---
>

--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities,
applications and new hosts without the need for network scanning.
It also finds compromised systems with application-based intrusion detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------
Received on Apr 20 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]