Re: Capturing NID traffic with CISCO

["David W. Goodrum" <dgoodrum () nfr com>]

Craig,

Which version of NFR are you running?  We are a very stateful IDS, so
you are correct, that it's important for us to see both sides of the
traffic.  Our NID-315 and 320 series come with multiple sniffing
interfaces, which should allow you to configure SPAN ports from both
sides, and pump that data directly into the NID, allowing us to
re-assemble that traffic correctly.

Attached is a .gif file that diagrams this setup.  

Of course, if your A and B side are not near eachother, getting the
SPAN'ed data to us might be difficult.  :)

If you have any more questions, let me know.

-dave


"Craig M. Taylor" wrote:
> Folks,
>
> I'm wondering if anyone out there has come across detailed information on
> configuring CISCO equipment to capture network traffic via SPAN ports (or via other
> options such asethernet TAPS).
>
> My specific problem is that I have traffic coming into an OSPF cloud on an A-side
> and leaving the OSPF cloud on the B-side and this is confusing my IDS sensors (NFR).
>
> Any pointers to information links is much appreciated.
>
> Thank-you,
>
> Craig
>
> =====
> Craig Taylor  -- Infosec, CISSP
> *********************************************************
> ** "Problems can not be fixed with the same level of   **
> ** awareness that created them." - Albert Einstein -   **
> *********************************************************
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2

-- 
David W. Goodrum
Senior Systems Engineer
NFR Security
Mobile: 703.731.3765
Office: 240.747.3425