[Dshield] Mangled traffic, the IDS, etc. revisited

Affeld, James JAffeld at sccd.ctc.edu
Mon Apr 30 17:09:12 GMT 2007


It looks like you are spanning traffic from multiple VLANs on that span port.  If so, you should expect to see inter-VLAN traffic twice.  You observe the traffic leave from the sender, and then you observe the traffic arriving at the destination.  This is confirmed by the MAC address changing to the Cisco device - it's the host that is forwarding traffic to the next hop so it's interface is the one that creates the ethernet frame.  

Richard Bejtlich has a post on this topic that may be helpful:

http://taosecurity.blogspot.com/2005/11/why-duplicate-packets-may-appear-on.html



-----Original Message-----
From:	list-bounces at lists.dshield.org on behalf of Pete Cap
Sent:	Sat 4/28/2007 1:08 PM
To:	list at lists.dshield.org
Cc:	
Subject:	[Dshield] Mangled traffic, the IDS, etc. revisited

Folks,

I have continued working on this "mangled traffic" issue I mentioned on this list previously.

I have discovered two issues:
1. Unidirectional traffic - something like 40% of the connections being observed by the IDS are completely one-way--so, of the tables the system uses to maintain state on connectoins, these are all filling up the "opening, not yet established" table.  It fills up, no new connections can be observed, IDS drops packets.
2. Hardware dupes - the IDS is hanging off a Cisco SPAN port.  Bit-for-bit copies of packets are being sent to the SPAN port *multiple times*.  IDS wastes cycles and RAM determining what connection dupes belong to.

If anyone has any tips that can guide my troubleshooting from this point forward, I would love to hear it.

I noticed that for the hardware dupes, there is one field that changes: the MAC addresses.
One packet will go from
00:06:5b:fd:fd:23 (Dellcomp) -> 00:00:0c:07:ac:01 (All_HSRP_Routers)
then its copy will go
00:0a:8b:ed:ef:fc (Cisco) -> 00:0b:db:a8:0a:b1 (DellESG)

Sometimes one or both of the MAC addresses will appear multiple times.

If anyone has any idea why this happens with a Cisco switch, I'm all ears.

At this point I have enough ammunition to go to the boss and tell him "Something is wonky, but the IDS is behaving as it is supposed to."  My next step is to examine the switch and the VLAN setup.  Any pointers?

Thanks in advance,

Pete

       
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
 Check outnew cars at Yahoo! Autos.
_________________________________________

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)





More information about the list mailing list