[Dshield] Mangled traffic, the IDS, etc. revisited
smelnick at water.com
Mon Apr 30 16:58:10 GMT 2007
I've seen this happen when you specifically configure the span to SPAN a
VLAN instead of multiple individual ports. Are you using CatOS or IOS?
What type of Switch?
> I have discovered two issues:
> 1. Unidirectional traffic - something like 40% of the connections
> observed by the IDS are completely one-way--so, of the tables the
> uses to maintain state on connectoins, these are all filling up the
> "opening, not yet established" table. It fills up, no new connections
> be observed, IDS drops packets.
> 2. Hardware dupes - the IDS is hanging off a Cisco SPAN port.
> copies of packets are being sent to the SPAN port *multiple times*.
> wastes cycles and RAM determining what connection dupes belong to.
> If anyone has any tips that can guide my troubleshooting from this
> forward, I would love to hear it.
> I noticed that for the hardware dupes, there is one field that
> the MAC addresses.
> One packet will go from
> 00:06:5b:fd:fd:23 (Dellcomp) -> 00:00:0c:07:ac:01 (All_HSRP_Routers)
> then its copy will go
> 00:0a:8b:ed:ef:fc (Cisco) -> 00:0b:db:a8:0a:b1 (DellESG)
> Sometimes one or both of the MAC addresses will appear multiple times.
> If anyone has any idea why this happens with a Cisco switch, I'm all
> At this point I have enough ammunition to go to the boss and tell him
> "Something is wonky, but the IDS is behaving as it is supposed to."
> next step is to examine the switch and the VLAN setup. Any pointers?
> Thanks in advance,
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
More information about the list