[OT] interface-mirroring on a server

[Detmar Liesen <detmar.liesen () gmx de>]

----please reply directly because I am not on the list any more-----

Hi, this is a little bit off topic, but I am hoping for your help...
:)

I am running tests with a VPN-gateway that will later act as an intermediate
gw for a site-to-site vpn:

[gw1] -> [public-net] -> [gw2] -> [private-net] -> [gw3]

The gw1 is out of my reach, regarding administration and surveillance, so I
want to run an IDS against the data that runs through the tunnel on gw2.

This is possible, because I can sniff on the internal interface that
connects the IPSec-layer to the normal IP stack on gw2, which is a linux-box.

However, I don’t want to run an IDS on the VPN-box itself, because the box
will be loaded enough with encrypting and decrypting packets.

Can I somehow create a mirror on the internal interface, 
i.e. copy all packets from the internal interface to a dedicated NIC which
is connected to an IDS?

I have thought about checking out the linux bridging drivers, but I think
with this software you can only send all packets from all NICs to all other
NICs but not selectively mirror packets, right?

What I need is something equivalent to a switch-mirror-port but for a
linux-server.

Is that feasible? Has anybody tried something like that before?

Thanks for your help.

Greetings,

Detmar Liesen



-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users