IDS mailing list archives

RE: IDS using Taps & network bridging

From: "Bryan K. Watson" <bwatson () nettracers com>
Date: Mon, 18 Nov 2002 08:15:52 -0800

You said:

What I've done so far is:
-Install 3 NICs in my box
-Bridged eth1 & eth2 to br0
-started up the bridge
-sniffed br0

I see mostly massive amounts of ARP traffic -
any help on this would be appreciated.


This is how a bridge should work...unless you determine all MAC addresses in
use across the whole network and tell your bridge that those mac addresses
exist on your IDS side of the bridge, you will never see anything but
broadcast and ARP traffic there.  A bridge only forwards what needs to
traverse it based on destination MAC address.  Remember too that a switch is
just a bunch of bridges and you will see the same behavior on any port of a
switch unless you designate that port as a network monitor port.


-----Original Message-----
From: oobs3c02 () attbi com [mailto:oobs3c02 () attbi com]
Sent: Sunday, November 17, 2002 11:16 AM
To: focus-ids () securityfocus com
Subject: IDS using Taps & network bridging


Hi,

I'm doing some testing to see how Taps could be implimented in my
environment.
I've read some information from Snort.org and other sources showing the use
of
taps in conjunction with a switch.  I would like to eliminate the switch for
the aggregation and I'm looking for ideas on how to do that.  The IDS
platform
is snort running on Intel with Linux 2.4 Kernel.  Ideas I've had so far are:

1. Hub - full duplex issues - scrapped that idea!
2. Bridged network cards - sniffing the bridged interface has been
problematic.  It works but there seems to be an ARP DoS - any ideas on this
would be great!
3. Multi port NIC that has software to aggregate.  The only solution I've
found
for this only has drivers for Windows.

I'm open to any suggestions but I'm really interested in the network
bridging.
What I've done so far is:
-Install 3 NICs in my box
-Bridged eth1 & eth2 to br0
-started up the bridge
-sniffed br0

I see mostly massive amounts of ARP traffic - any help on this would be
appreciated.

Regards,

Jim

"Life's tough - but it's a whole lot tougher when your stupid!"

Current thread:

IDS using Taps & network bridging oobs3c02 (Nov 17)
- RE: IDS using Taps & network bridging Bryan K. Watson (Nov 19)
- Re: IDS using Taps & network bridging nate (Nov 19)
- Re: IDS using Taps & network bridging Bennett Todd (Nov 27)
- <Possible follow-ups>
- RE: IDS using Taps & network bridging Douglas Hart (Nov 21)
- RE: IDS using Taps & network bridging Benninghoff, John (Nov 26)