Snort mailing list archives
RE: Sniffing the Gateways
From: "Madziarczyk, Jonathan" <than () cityofevanston org>
Date: Thu, 29 Nov 2001 10:41:57 -0600
Look for "---" JMad -----Original Message----- From: jamesh [mailto:jamesh () cybermesa com] Sent: Wednesday, November 28, 2001 4:07 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Sniffing the Gateways We have 2 gateways, and I am sniffing traffic off both the Ethernet interfaces (via the switch). I was hoping to see all the traffic for our statewide network this way, but I am not. After a bit of thinking I realized this probably will not show me the several serial interfaces that exist on these gateways, as these route directly out the WAN connections (ie, serial and WAN connections are on the same box and route port to port to get to the internet) and not thru the Ethernet interfaces. Is this correct ? ---Your assumption is correct, the router has no need to go out the Ethernet interface and therefore you will not see any traffic. Cisco does not have any provisions for sniffing (like SPAN) out to another interface since that would defeat the purpose of routing. If so how would I go about seeing everything ? As luck would have it, the secondary gateway is our Cisco 72XX, where multiple T's to the DSLAM's for DSL exist. BGP tends to send these connections out this gateway and only once an a while does BGP decide to use the primary gateway for DSL; in this case Snort will see this. As we have 400+ DSL subscribers; I am interested to see if any have DoS tools 400+ installed (and other bad things). Generally I just sniff all our servers, this works great. Once a day I would like to watch all traffic to get the big picture with a special interest in what is going on with DSL. Any ideas ? ---The best suggestions I can offer (other may have better ones) are these: ---1) Taps--I don't know a whole lot about them and how they would integrate with Snort (will snort sniff a local serial interface?) You could either tap the internet connection and see all in/outbound traffic or tap all your serial lines individually. You may be able to find some combination of hardware that will get you what you want. ---2) Depending upon many factors (ip schemes, how good the bandwidth between your gateways is, how much load you can spare on them, the number of sunspots on a given Wednesday, how lucky you feel, and so on....) you may be able to play with the weighting and static routes on your serial interfaces so that they think that the other gateway has the best route, then once they hit the BGP table it can then decide if it should really go out there or go back to the other gateway. Granted, it totally "bassackwards" and will add to your load, but if you can spare it, it will do the job, and then some (in some cases you'll see the traffic twice on Snort). ---The real point is that you've got to either catch the traffic on the way in or on the way out. Unless you're on a cat6500 you're not going to be able to what you want without forcing the traffic out of the router/gateway and then back into it. Hope that gives you some ideas. "They can't all be good, you have to expect that once in a while." --Groucho Marx JMad _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sniffing the Gateways jamesh (Nov 28)
- Re: Sniffing the Gateways controld (Nov 28)
- Re: Sniffing the Gateways jamesh (Nov 28)
- <Possible follow-ups>
- RE: Sniffing the Gateways Madziarczyk, Jonathan (Nov 29)
- Re: Sniffing the Gateways controld (Nov 28)