IDS mailing list archives

Re: Sniffing split connections

From: Adam Powers <apowers () lancope com>
Date: Tue, 19 Apr 2005 23:22:08 -0400

If you can live with flow-based analysis (such as NetFlow or sFlow) you can
reassemble the asymmetrically routed flows from each "sides of town" into a
single box.

StealthWatch allows for this kind of "flow reassembly" (also called "flow
normalization").

The tradeoff, of course, is that you don't get actual payload with NetFlow
and only *some* payload with sFlow. Depending on what your requirements are
this may be enough, especially if statistical anomaly detection fulfills
your requirements.

BTW: You can run an open source app such as nprobe or fprobe on the 1750 to
generate the NetFlow records (so you don't really even need a Cisco router
at each site).

-AP


On 4/11/05 12:37 PM, "Chris Mills" <securinate () gmail com> wrote:

Hi all-

Here's the problem I'm having:

I have a client site that has two physical connections from its ATM
switch that connect to two different providers. The ATM switch uses
both connections all the time (not set up as a failover.) The ATM
switch at the site will not let me mirror the ports so I can't sniff
there... and after the two providers, the connection is too fast for
my equipment. I am using Snort 2.3.2 on PowerEdge 1750's. If I place a
sniffer at both provider A and provider B, is there a way I can
reassemble the traffic so I can see complete sessions? The two
providers are on different sides of town.

               |--------|PROVIDER A|\
Client Site|                |-----------|INTERNET|
               |--------|PROVIDER B|/

Thanks very much,

Chris

--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities,
applications and new hosts without the need for network scanning.
It also finds compromised systems with application-based intrusion detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------





--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------

Current thread:

Sniffing split connections Chris Mills (Apr 13)
- Re: Sniffing split connections Richard Bejtlich (Apr 15)
- Re: Sniffing split connections Tony Carter (Apr 15)
- Re: Sniffing split connections rusty chiles (Apr 15)
  - Re: Sniffing split connections Chris Mills (Apr 15)
- Re: Sniffing split connections Adam Powers (Apr 20)
- <Possible follow-ups>
- RE: Sniffing split connections Geff Ambrose (Apr 15)
  - Re: Sniffing split connections Barrett G . Lyon (Apr 20)
- Re: Sniffing split connections Johann_van_Duyn (Apr 19)