IDS mailing list archives
RE: Remote IDS Testing - Config question
From: Hank.Schupp () mantech-ist com
Date: 21 Dec 2005 20:15:05 -0000
I have had some luck with getting this 'system' built but have not successfully captured fragmented traffic. I am tyring to create a system that fragments any traffic passing across a linux machine set up as a router. As a result I have created the following network: a) Dual NIC system running Knoppix Auditor. eth0 connected through hub to router-'internet'(10.x.x.x). eth1 (172.16.2.1) connected via x-over to "internal" (172.16.2.2) PC Knoppix set up as router to internet. b) Internal (Client) PC running Windows - or - Linux c) 3rd machine running Ethereal captures off the eth0 hub. With no fragmentation involved I can reach the web server on the 'internet' side with no problem. When I run Fragrouter I see the fragments being generated in the console window and the client machine experiences a definite impact as a result. However, ethereal captures from the client, the eth1 hub, and on the knoppix box itself do not list any IP FRAGMENTS - I see lots of retrans and lost packets but nothing that indicates that ethereal was seeing fragmented packets. It 'has' been a while since I had to work at the packet level but I thought I remembered ethereal listing such traffic as "IP FRAGMENT". Go ahead and "Learn me" something if I am mistaken please! The only thing I notice is that when I run "fragrouter -i eth1 -F2" I can see the fragmentation listed in console but if I use "fragrouter -i eth0 -F2" nothing happens. I would think that I should want to fragment traffic going through eth0 if I want to pick it up off the hub ... I can guess that the problem lies in my routing configuration on the knoppix (auditor) machine but can't think of what to change to make it work. Any thoughts? Hank ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Remote IDS Testing - Config question Hank . Schupp (Dec 21)