[Dshield] Mangled traffic, the IDS, etc. revisited

Pete Cap peteoutside at yahoo.com
Sat Apr 28 20:08:56 GMT 2007


I have continued working on this "mangled traffic" issue I mentioned on this list previously.

I have discovered two issues:
1. Unidirectional traffic - something like 40% of the connections being observed by the IDS are completely one-way--so, of the tables the system uses to maintain state on connectoins, these are all filling up the "opening, not yet established" table.  It fills up, no new connections can be observed, IDS drops packets.
2. Hardware dupes - the IDS is hanging off a Cisco SPAN port.  Bit-for-bit copies of packets are being sent to the SPAN port *multiple times*.  IDS wastes cycles and RAM determining what connection dupes belong to.

If anyone has any tips that can guide my troubleshooting from this point forward, I would love to hear it.

I noticed that for the hardware dupes, there is one field that changes: the MAC addresses.
One packet will go from
00:06:5b:fd:fd:23 (Dellcomp) -> 00:00:0c:07:ac:01 (All_HSRP_Routers)
then its copy will go
00:0a:8b:ed:ef:fc (Cisco) -> 00:0b:db:a8:0a:b1 (DellESG)

Sometimes one or both of the MAC addresses will appear multiple times.

If anyone has any idea why this happens with a Cisco switch, I'm all ears.

At this point I have enough ammunition to go to the boss and tell him "Something is wonky, but the IDS is behaving as it is supposed to."  My next step is to examine the switch and the VLAN setup.  Any pointers?

Thanks in advance,


Ahhh...imagining that irresistible "new car" smell?
 Check outnew cars at Yahoo! Autos.

More information about the list mailing list