Honeypots mailing list archives
Re: Antwort: reassemble data from TAP
From: "Vladislav V. Myasnyankin" <mvv () kazna ru>
Date: Fri, 15 Oct 2004 09:33:01 +0600
Holger, Thanks for your irrefragable answer! Also I would thanks other list members for their suggestion, but bonding interfaces is better solution in my case. -- regards, Vladislav V. Myasnyankin Chief Information Security Officer Bank "Severnaya Kazna". www.kazna.ru / www.internetbank.ru mvv at kazna.ru phone (343) 359-27-32, 059 fax (343) 359-27-34 Personal homepage --> http://cybervlad.net ----- Original Message ----- From: <Holger.Woehle () arcor net> To: "Vladislav V. Myasnyankin" <mvv () kazna ru> Cc: <honeypots () securityfocus com> Sent: Thursday, October 14, 2004 8:45 PM Subject: Antwort: reassemble data from TAP Vladislav, of course you can do it! what you need is the "bonding" device (Etherchannel in the Cisco World) of the Linux Kernel. Switch it on either as static or as module in the kernel config. Then recompile your kernel and build the userland tool "ifenslave" to start up the virtual interface. You can find the c-source under the kernel tree /usr/local/src/linux/Documentation/networking/ifenslave.c . Then you must setup your nics like this: #begin /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.5 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.1 auto eth1 eth2 bond0 iface eth1 inet static address 0.0.0.0 netmask 255.255.255.255 iface eth2 inet static address 0.0.0.0 netmask 255.255.255.255 iface bond0 inet static address 0.0.0.0 || true netmask 255.255.255.255 || true up /usr/local/bin/ifenslave bond0 eth1 || true up /usr/local/bin/ifenslave bond0 eth2 || true #todo: # down release the slaves!!! #end /etc/network/interfaces Now start snort listening on the bond0 interface: snort -c /usr/local/etc/snort/snort.conf -i bond0 thats it! P.S. I have written a Document & Presentation about snort in a highspeed environment, fitting into two switch-router pairs. Snort is linked against a modified pcap to gain higher processing speed and coops with barnyard. At the moment it is only available in german...if somebody is interested i can personal-mail it. cu Holger "Vladislav V. Myasnyankin" <mvv () kazna ru> 14.10.2004 06:17 An: honeypots () securityfocus com Kopie: (Blindkopie: Holger Wöhle/PSD/Eschborn/Arcor) Thema: reassemble data from TAP
Hello, I want to use Snort (on Linux box) to analyze network flow to/from honeynet. But I have some restrictions, especially I can use only Single
TAP
(http://www.securicore.ca/critical_taps/singletap/) to connect sensors.
This
mean, that I need 2 NIC to receive full stream (one for Rx, one for Tx pair). I am not sure, if Snort will work well in these conditions, because each sensor can analyze only half of the stream. Is there any software solution for Linux to "restore" full stream, direct
it
to some pseudo-NIC, then "connect" snort to this pseudo-NIC? Thanks in advance! -- regards, Vladislav V. Myasnyankin Chief Information Security Officer Bank "Severnaya Kazna". www.kazna.ru / www.internetbank.ru mvv at kazna.ru phone (343) 359-27-32, 059 fax (343) 359-27-34 Personal homepage --> http://cybervlad.net
Current thread:
- Re: Antwort: reassemble data from TAP Vladislav V. Myasnyankin (Oct 14)