Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Antwort: reassemble data from TAP

From: "Vladislav V. Myasnyankin" <mvv () kazna ru>
Date: Fri, 15 Oct 2004 09:33:01 +0600
Holger,

Thanks for your irrefragable answer!

Also I would thanks other list members for their suggestion, but bonding
interfaces is better solution in my case.

--
regards,
Vladislav V. Myasnyankin
Chief Information Security Officer
Bank "Severnaya Kazna".
www.kazna.ru / www.internetbank.ru
mvv at kazna.ru
phone (343) 359-27-32, 059
     fax (343) 359-27-34
Personal homepage --> http://cybervlad.net



----- Original Message ----- 
From: <Holger.Woehle () arcor net>
To: "Vladislav V. Myasnyankin" <mvv () kazna ru>
Cc: <honeypots () securityfocus com>
Sent: Thursday, October 14, 2004 8:45 PM
Subject: Antwort: reassemble data from TAP



Vladislav,
of course you can do it!

what you need is the "bonding" device (Etherchannel in the Cisco World) of
the
Linux Kernel.
Switch it on either as static or as module in the kernel config. Then
recompile
your kernel and build the userland tool "ifenslave" to start up the virtual
interface.
You can find the c-source under the kernel tree
/usr/local/src/linux/Documentation/networking/ifenslave.c .
Then you must setup your nics like this:

#begin /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
     address 192.168.1.5
     netmask 255.255.255.0
     broadcast 192.168.1.255
     gateway 192.168.1.1

auto eth1 eth2 bond0
iface eth1 inet static
     address 0.0.0.0
     netmask 255.255.255.255
iface eth2 inet static
     address 0.0.0.0
     netmask 255.255.255.255
iface bond0 inet static
     address 0.0.0.0 || true
     netmask 255.255.255.255 || true
     up /usr/local/bin/ifenslave bond0 eth1 || true
     up /usr/local/bin/ifenslave bond0 eth2 || true

#todo:
# down release the slaves!!!

#end /etc/network/interfaces

Now start snort listening on the bond0 interface:
snort -c /usr/local/etc/snort/snort.conf -i bond0

thats it!

P.S. I have written a Document & Presentation about snort in a highspeed
environment, fitting into two switch-router pairs. Snort is linked against a
modified pcap to gain higher processing speed and coops with barnyard. At
the
moment it is only available in german...if somebody is interested i can
personal-mail it.

cu
Holger





"Vladislav V. Myasnyankin" <mvv () kazna ru>
14.10.2004 06:17
An:     honeypots () securityfocus com
Kopie:  (Blindkopie: Holger Wöhle/PSD/Eschborn/Arcor)
Thema:  reassemble data from TAP








Hello,

I want to use Snort (on Linux box)  to analyze network flow to/from
honeynet. But I have some restrictions, especially I can use only Single

TAP

(http://www.securicore.ca/critical_taps/singletap/) to connect sensors.

This

mean, that I need 2 NIC to receive full stream (one for Rx, one for Tx
pair). I am not sure, if Snort will work well in these conditions, because
each sensor can analyze only half of the stream.
Is there any software solution for Linux to "restore" full stream, direct

it

to some pseudo-NIC, then "connect" snort to this pseudo-NIC?

Thanks in advance!

--
regards,
Vladislav V. Myasnyankin
Chief Information Security Officer
Bank "Severnaya Kazna".
www.kazna.ru / www.internetbank.ru
mvv at kazna.ru
phone (343) 359-27-32, 059
     fax (343) 359-27-34
Personal homepage --> http://cybervlad.net
Previous By Date Next
Previous By Thread Next

Current thread: