IDS mailing list archives
interface-mirroring on a server
From: detmar.liesen () lds nrw de
Date: Fri, 10 Jan 2003 09:39:28 +0100
Hi, I have a VPN-gateway that acts as an intermediate gw for a site-to-site vpn: [gw1] --> [public-net] --> [gw2] --> [private-net] --> [gw3] The gw1 is out of my reach, regarding administration and surveillance, so I want to run an IDS against the data that runs through the tunnel on gw2. This is possible, because I can sniff on the internal interface that connects the IPSec-layer to the normal IP stack on gw2, which is a linux-box. However, I don't want to run an IDS on the VPN-box itself, because the box is loaded enough with encrypting and decrypting packets. Can I somehow create a mirror on the internal interface, i.e. copy all packets from the internal interface to a dedicated NIC which is connected to an IDS? I have thought about checking out the linux bridging drivers, but I think with this software you can only send all packets from all NICs to all other NICs but not selectively mirror packets. What I need is something equivalent to a switch-mirror-port but for a linux-server. Is that feasible? Has anybody tried something like that before? Thanks for your help. Greetings, Detmar Liesen
Current thread:
- interface-mirroring on a server detmar . liesen (Jan 21)