[Dshield] Mangled traffic, the IDS, etc. revisited

Open Phugu openphugu at gmail.com
Sun Apr 29 23:28:01 GMT 2007


On 4/28/07, Pete Cap <peteoutside at yahoo.com> wrote:
> Folks,
>
> I have continued working on this "mangled traffic" issue I mentioned on this list previously.
>
> I have discovered two issues:
> 1. Unidirectional traffic - something like 40% of the connections being observed by the IDS are completely one-way--so, of the tables the system uses to maintain state on connectoins, these are all filling up the "opening, not yet established" table.  It fills up, no new connections can be observed, IDS drops packets.
> 2. Hardware dupes - the IDS is hanging off a Cisco SPAN port.  Bit-for-bit copies of packets are being sent to the SPAN port *multiple times*.  IDS wastes cycles and RAM determining what connection dupes belong to.
>
> If anyone has any tips that can guide my troubleshooting from this point forward, I would love to hear it.
I am not an expert with Ciscoes, but checking the Cisco's
configuration would be the first step.
If the IDS gets duplicates from the cisco, it might get somewhat confused.


More information about the list mailing list