IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Remote IDS Testing - Config question

From: Hank.Schupp () mantech-ist com
Date: 21 Dec 2005 20:15:05 -0000
I have had some luck with getting this 'system' built but have not successfully captured fragmented traffic.  I am 
tyring to create a system that fragments any traffic passing across a linux machine set up as a router. As a result I 
have created the following network: 

a) Dual NIC system running Knoppix Auditor.
   eth0 connected through hub to router-'internet'(10.x.x.x).
   eth1 (172.16.2.1) connected via x-over to "internal" (172.16.2.2) PC
   Knoppix set up as router to internet.

b) Internal (Client) PC running Windows - or - Linux

c) 3rd machine running Ethereal captures off the eth0 hub.

With no fragmentation involved I can reach the web server on the 'internet' side with no problem.  When I run 
Fragrouter I see the fragments being generated in the console window and the client machine experiences a definite 
impact as a result.  However, ethereal captures from the client, the eth1 hub, and on the knoppix box itself do not 
list any IP FRAGMENTS - I see lots of retrans and lost packets but nothing that indicates that ethereal was seeing 
fragmented packets.  It 'has' been a while since I had to work at the packet level but I thought I remembered ethereal 
listing such traffic as "IP FRAGMENT".  Go ahead and "Learn me" something if I am mistaken please!

The only thing I notice is that when I run "fragrouter -i eth1 -F2" I can see the fragmentation listed in console but 
if I use "fragrouter -i eth0 -F2" nothing happens.  I would think that I should want to fragment traffic going through 
eth0 if I want to pick it up off the hub ... I can guess that the problem lies in my routing configuration on the 
knoppix (auditor) machine but can't think of what to change to make it work.  Any thoughts?

Hank

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: