[Dshield] Mangled traffic, the IDS, etc. revisited

Scott Melnick smelnick at water.com
Mon Apr 30 16:58:10 GMT 2007


I've seen this happen when you specifically configure the span to SPAN a
VLAN instead of multiple individual ports. Are you using CatOS or IOS?
What type of Switch?


Cheers,

Scott 

 
> I have discovered two issues:
> 1. Unidirectional traffic - something like 40% of the connections
being
> observed by the IDS are completely one-way--so, of the tables the
system
> uses to maintain state on connectoins, these are all filling up the
> "opening, not yet established" table.  It fills up, no new connections
can
> be observed, IDS drops packets.
> 2. Hardware dupes - the IDS is hanging off a Cisco SPAN port.
Bit-for-bit
> copies of packets are being sent to the SPAN port *multiple times*.
IDS
> wastes cycles and RAM determining what connection dupes belong to.
> 
> If anyone has any tips that can guide my troubleshooting from this
point
> forward, I would love to hear it.
> 
> I noticed that for the hardware dupes, there is one field that
changes:
> the MAC addresses.
> One packet will go from
> 00:06:5b:fd:fd:23 (Dellcomp) -> 00:00:0c:07:ac:01 (All_HSRP_Routers)
> then its copy will go
> 00:0a:8b:ed:ef:fc (Cisco) -> 00:0b:db:a8:0a:b1 (DellESG)
> 
> Sometimes one or both of the MAC addresses will appear multiple times.
> 
> If anyone has any idea why this happens with a Cisco switch, I'm all
ears.
> 
> At this point I have enough ammunition to go to the boss and tell him
> "Something is wonky, but the IDS is behaving as it is supposed to."
My
> next step is to examine the switch and the VLAN setup.  Any pointers?
> 
> Thanks in advance,
> 
> Pete
> 
> 
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
>  Check outnew cars at Yahoo! Autos.
> _________________________________________
> 
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)



More information about the list mailing list