IDS mailing list archives
Re: Capturing NID traffic with CISCO
From: "charles lindsay" <frostbackeng () lycos com>
Date: Tue, 12 Nov 2002 11:44:59 -0500
... And of course there are load-balancing solutions which will re-combine the flows before sending them to the same NIDS port/sensor... ... provided you are tapping/SPANning at the same "virtual point" in the network. If your egress and ingress points differ as regards NAT, or VPN-tunneling, life becomes more challenging. But that would be a random complication which you have not mentioned.
Craig, Which version of NFR are you running? We are a very stateful IDS, so you are correct, that it's important for us to see both sides of the traffic. Our NID-315 and 320 series come with multiple sniffing interfaces, which should allow you to configure SPAN ports from both sides, and pump that data directly into the NID, allowing us to re-assemble that traffic correctly. Attached is a .gif file that diagrams this setup. Of course, if your A and B side are not near eachother, getting the SPAN'ed data to us might be difficult. :) If you have any more questions, let me know. -dave "Craig M. Taylor" wrote:Folks,I'm wondering if anyone out there has come across detailed information on > configuring CISCO equipment to capture network traffic via SPAN ports (or via other > options such asethernet TAPS).My specific problem is that I have traffic coming into an OSPF cloud on an A-side > and leaving the OSPF cloud on the B-side and this is confusing my IDS sensors (NFR).Any pointers to information links is much appreciated. Thank-you, Craig ===== Craig Taylor -- Infosec, CISSP ********************************************************* ** "Problems can not be fixed with the same level of ** ** awareness that created them." - Albert Einstein - ** *********************************************************-- David W. Goodrum Senior Systems Engineer NFR Security Mobile: 703.731.3765 Office: 240.747.3425
__________________________________________________________ Outgrown your current e-mail service? Get 25MB Storage, POP3 Access, Advanced Spam protection with LYCOS MAIL PLUS. http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
Current thread:
- Capturing NID traffic with CISCO Craig M. Taylor (Nov 08)
- Re: Capturing NID traffic with CISCO David W. Goodrum (Nov 11)
- <Possible follow-ups>
- Re: Capturing NID traffic with CISCO charles lindsay (Nov 12)