IDS mailing list archives
Re: Sniffing split connections
From: Adam Powers <apowers () lancope com>
Date: Tue, 19 Apr 2005 23:22:08 -0400
If you can live with flow-based analysis (such as NetFlow or sFlow) you can reassemble the asymmetrically routed flows from each "sides of town" into a single box. StealthWatch allows for this kind of "flow reassembly" (also called "flow normalization"). The tradeoff, of course, is that you don't get actual payload with NetFlow and only *some* payload with sFlow. Depending on what your requirements are this may be enough, especially if statistical anomaly detection fulfills your requirements. BTW: You can run an open source app such as nprobe or fprobe on the 1750 to generate the NetFlow records (so you don't really even need a Cisco router at each site). -AP On 4/11/05 12:37 PM, "Chris Mills" <securinate () gmail com> wrote:
Hi all- Here's the problem I'm having: I have a client site that has two physical connections from its ATM switch that connect to two different providers. The ATM switch uses both connections all the time (not set up as a failover.) The ATM switch at the site will not let me mirror the ports so I can't sniff there... and after the two providers, the connection is too fast for my equipment. I am using Snort 2.3.2 on PowerEdge 1750's. If I place a sniffer at both provider A and provider B, is there a way I can reassemble the traffic so I can see complete sessions? The two providers are on different sides of town. |--------|PROVIDER A|\ Client Site| |-----------|INTERNET| |--------|PROVIDER B|/ Thanks very much, Chris -------------------------------------------------------------------------- Stop hurting your network! The NeVO passive vulnerability sensor continuously finds vulnerabilities, applications and new hosts without the need for network scanning. It also finds compromised systems with application-based intrusion detection. Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Stop hurting your network! The NeVO passive vulnerability sensor continuously finds vulnerabilities, applications and new hosts without the need for network scanning. It also finds compromised systems with application-based intrusion detection. Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more. --------------------------------------------------------------------------
Current thread:
- Sniffing split connections Chris Mills (Apr 13)
- Re: Sniffing split connections Richard Bejtlich (Apr 15)
- Re: Sniffing split connections Tony Carter (Apr 15)
- Re: Sniffing split connections rusty chiles (Apr 15)
- Re: Sniffing split connections Chris Mills (Apr 15)
- Re: Sniffing split connections Adam Powers (Apr 20)
- <Possible follow-ups>
- RE: Sniffing split connections Geff Ambrose (Apr 15)
- Re: Sniffing split connections Barrett G . Lyon (Apr 20)
- Re: Sniffing split connections Johann_van_Duyn (Apr 19)