IDS mailing list archives

Re: Capturing NID traffic with CISCO

From: "charles lindsay" <frostbackeng () lycos com>
Date: Tue, 12 Nov 2002 11:44:59 -0500

... And of course there are load-balancing solutions which will re-combine the flows before sending them to the same 
NIDS port/sensor...

... provided you are tapping/SPANning at the same "virtual point" in the network.  If your egress  and ingress points 
differ as regards NAT, or VPN-tunneling, life becomes more challenging.

But that would be a random complication which you have not mentioned.

Craig,

Which version of NFR are you running?  We are a very stateful IDS, so
you are correct, that it's important for us to see both sides of the
traffic.  Our NID-315 and 320 series come with multiple sniffing
interfaces, which should allow you to configure SPAN ports from both
sides, and pump that data directly into the NID, allowing us to
re-assemble that traffic correctly.

Attached is a .gif file that diagrams this setup.  

Of course, if your A and B side are not near eachother, getting the
SPAN'ed data to us might be difficult.  :)

If you have any more questions, let me know.

-dave


"Craig M. Taylor" wrote:


Folks,

I'm wondering if anyone out there has come across detailed
information on > configuring CISCO equipment to capture network
traffic via SPAN ports (or via other > options such asethernet
TAPS).

My specific problem is that I have traffic coming into an OSPF cloud
on an A-side > and leaving the OSPF cloud on the B-side and this is
confusing my IDS sensors (NFR).


Any pointers to information links is much appreciated.

Thank-you,

Craig

=====
Craig Taylor  -- Infosec, CISSP
*********************************************************
** "Problems can not be fixed with the same level of   **
** awareness that created them." - Albert Einstein -   **
*********************************************************


-- 
David W. Goodrum
Senior Systems Engineer
NFR Security
Mobile: 703.731.3765
Office: 240.747.3425




__________________________________________________________
Outgrown your current e-mail service? Get 25MB Storage, POP3 Access,
Advanced Spam protection with LYCOS MAIL PLUS.
http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus

Current thread:

Capturing NID traffic with CISCO Craig M. Taylor (Nov 08)
- Re: Capturing NID traffic with CISCO David W. Goodrum (Nov 11)
- <Possible follow-ups>
- Re: Capturing NID traffic with CISCO charles lindsay (Nov 12)