Re: Sniffing split connections

[Barrett G.Lyon <blyon () prolexic com>]

Another option:  FreeBSD supports interface bridging, you could have  
two interfaces on a single FreeBSD machine and bridge them both  
together to have a unified place to sniff from.

-Barrett


On Apr 13, 2005, at 2:45 PM, Geff Ambrose wrote:

> Chris
> A question for you, the handoff from the ATM switch is it Ethernet or  
> ATM?  If it is Ethernet you should check out a company called Top  
> Layer networks, they have a product called the IDS Balancer that plays  
> well in asymmetric environments and will reassemble the traffic flows  
> for you.  your snort boxes will see both sides of the traffic and you  
> can then load balance to a bunch of sensors
>
> www.toplayer.com
>
> Geff
>
>
> -----Original Message-----
> From: Chris Mills [mailto:securinate () gmail com]
> Sent: Monday, April 11, 2005 12:37 PM
> To: focus-ids () securityfocus com
> Subject: Sniffing split connections
>
>
> Hi all-
>
> Here's the problem I'm having:
>
> I have a client site that has two physical connections from its ATM
> switch that connect to two different providers. The ATM switch uses
> both connections all the time (not set up as a failover.) The ATM
> switch at the site will not let me mirror the ports so I can't sniff
> there... and after the two providers, the connection is too fast for
> my equipment. I am using Snort 2.3.2 on PowerEdge 1750's. If I place a
> sniffer at both provider A and provider B, is there a way I can
> reassemble the traffic so I can see complete sessions? The two
> providers are on different sides of town.
>
>                |--------|PROVIDER A|\
> Client Site|                          |-----------|INTERNET|
>                |--------|PROVIDER B|/
>
> Thanks very much,
>
> Chris
>
> ----------------------------------------------------------------------- 
> ---
> Stop hurting your network!
>
> The NeVO passive vulnerability sensor continuously finds  
> vulnerabilities,
> applications and new hosts without the need for network scanning.
> It also finds compromised systems with application-based intrusion  
> detection.
> Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> ----------------------------------------------------------------------- 
> ---
>
>
> ----------------------------------------------------------------------- 
> ---
> Stop hurting your network!
>
> The NeVO passive vulnerability sensor continuously finds  
> vulnerabilities,
> applications and new hosts without the need for network scanning.
> It also finds compromised systems with application-based intrusion  
> detection.
> Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> ----------------------------------------------------------------------- 
> ---


--------------------------------------------------------------------------
Stop hurting your network!

The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------