[Dshield] Mangled traffic, the IDS, etc. revisited

Andrew Willy andrewwilly at gmail.com
Mon Apr 30 01:20:29 GMT 2007


Is the SPAN port monitoring a trunk or access port?

Andrew

On 4/28/07, Pete Cap <peteoutside at yahoo.com> wrote:
> Folks,
>
> I have continued working on this "mangled traffic" issue I mentioned on this
> list previously.
>
> I have discovered two issues:
> 1. Unidirectional traffic - something like 40% of the connections being
> observed by the IDS are completely one-way--so, of the tables the system
> uses to maintain state on connectoins, these are all filling up the
> "opening, not yet established" table.  It fills up, no new connections can
> be observed, IDS drops packets.
> 2. Hardware dupes - the IDS is hanging off a Cisco SPAN port.  Bit-for-bit
> copies of packets are being sent to the SPAN port *multiple times*.  IDS
> wastes cycles and RAM determining what connection dupes belong to.
>
> If anyone has any tips that can guide my troubleshooting from this point
> forward, I would love to hear it.
>
> I noticed that for the hardware dupes, there is one field that changes: the
> MAC addresses.
> One packet will go from
> 00:06:5b:fd:fd:23 (Dellcomp) -> 00:00:0c:07:ac:01 (All_HSRP_Routers)
> then its copy will go
> 00:0a:8b:ed:ef:fc (Cisco) -> 00:0b:db:a8:0a:b1 (DellESG)
>
> Sometimes one or both of the MAC addresses will appear multiple times.
>
> If anyone has any idea why this happens with a Cisco switch, I'm all ears.
>
> At this point I have enough ammunition to go to the boss and tell him
> "Something is wonky, but the IDS is behaving as it is supposed to."  My next
> step is to examine the switch and the VLAN setup.  Any pointers?
>
> Thanks in advance,
>
> Pete
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
>  Check outnew cars at Yahoo! Autos.
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>


More information about the list mailing list