[Dshield] Mangled traffic, the IDS, etc. revisited
eslerj at gmail.com
Mon Apr 30 00:07:02 GMT 2007
On 4/28/07, Pete Cap <peteoutside at yahoo.com> wrote:
> I have continued working on this "mangled traffic" issue I mentioned on this list previously.
> I have discovered two issues:
> 1. Unidirectional traffic - something like 40% of the connections being observed by the IDS are completely one-way--so, of the tables the system uses to maintain state on connectoins, these are all filling up the "opening, not yet established" table. It fills up, no new connections can be observed, IDS drops packets.
> 2. Hardware dupes - the IDS is hanging off a Cisco SPAN port. Bit-for-bit copies of packets are being sent to the SPAN port *multiple times*. IDS wastes cycles and RAM determining what connection dupes belong to.
> If anyone has any tips that can guide my troubleshooting from this point forward, I would love to hear it.
> I noticed that for the hardware dupes, there is one field that changes: the MAC addresses.
> One packet will go from
> 00:06:5b:fd:fd:23 (Dellcomp) -> 00:00:0c:07:ac:01 (All_HSRP_Routers)
> then its copy will go
> 00:0a:8b:ed:ef:fc (Cisco) -> 00:0b:db:a8:0a:b1 (DellESG)
> Sometimes one or both of the MAC addresses will appear multiple times.
> If anyone has any idea why this happens with a Cisco switch, I'm all ears.
> At this point I have enough ammunition to go to the boss and tell him "Something is wonky, but the IDS is behaving as it is supposed to." My next step is to examine the switch and the VLAN setup. Any pointers?
> Thanks in advance,
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
ISC Incident Handler
More information about the list