Buy a cheap managed switch and set one port up as a monitoring port
and dump all your IDS traffic there?
Michael F. DeMan
Director of Technology
OpenAccess Network Services
Bellingham, WA 98225
[EMAIL PROTECTED]
360-647-0785
On Feb 7, 2006, at 7:38 AM, Shawn Saunders wrote:
Hello,
Based on the below configuration, does anyone have an idea of what
I might be doing wrong?
The following is a layout of the type of configuration, and I have
tried
one2many and hub, but was unable to obtain the desired results.
Whenever I
try to set multiple hooks to the same interface it fails, and
trying to
bring a group of interfaces to a virtual interface, and then take that
virtual interface out multiple different interfaces, seems to fail
(I can't
even make the connection to the virtual interface to go to multiple
outs.)
I will have 11 interfaces inbound from 11 different networks.
I will have 4 outbound to 4 different IDS's and sensors.
I would like to have 11 interfaces come into a single virtual
interface.
This way I could run tcpdump and/or snort on the box itself and
obtain quick
info, and do validation of packet data, between the capture system
and the
IDS and sensors.
I would like to redirect all the traffic from that one virtual
interface to
a group of 4 physical interfaces so the sensors can work on it.
Here is a configuration I tried. Any comments or suggestions are
appreciated.
This initial script, only takes 3 input interfaces into a single
virtual
interface. This works.
Then when I try to take that virtual interface and echo it out
multiple
interfaces, it fails.
#!/bin/sh
# Initialize and bring up all interfaces
for i in 0 1 2 3 4 5 6 7 8 9 10 11
do /sbin/ifconfig em$i up
done
for g in 0 1
do /sbin/ifconfig bge$g up
done
/sbin/ifconfig fxp0 up
# Load needed kernel modules
/sbin/kldload /boot/kernel/ng_ether.ko
/sbin/kldload /boot/kernel/ng_one2many.ko
/sbin/kldload /boot/kernel/ng_fec.ko
# Create Virtual Interface
/usr/sbin/ngctl mkpeer fec dummy fec
# Bind physical input interfaces to virtual interface
/usr/sbin/ngctl msg fec0: add_iface '"em0"'
/usr/sbin/ngctl msg fec0: add_iface '"em1"'
/usr/sbin/ngctl msg fec0: add_iface '"em2"'
# Set forwarding mode to mac address layer.
/usr/sbin/ngctl msg fec0: set_mode_mac
# Configure the virtual interface to deliver packets out the others
ngctl mkpeer fec0: one2many upper one
ngctl name fec0:upper secur
ngctl connect bge0: secur: upper many0
ngctl connect bge1: secur: upper many1
ngctl msg secur: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1
1 ] }"
# Set all interfaces Promisc mode and turn off autosrc routing
for s in 0 1 2 3 4 5 6 7 8 9 10 11
do /usr/sbin/ngctl msg em$s: setpromisc 1
/usr/sbin/ngctl msg em$s: setautosrc 0
done
for t in 0 1
do /usr/sbin/ngctl msg bge$t: setpromisc 1
/usr/sbin/ngctl msg bge$t: setautosrc 0
done
#EOF
Before sending 3 pings accross em2:
gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ;
netstat -I
em2
Name Mtu Network Address Ipkts Ierrs
Opkts Oerrs
Coll
bge0 1500 00:e0:81:32:f4:52 0
0 5
0 0
bge0 1500 fe80:b::2e0:8 fe80:b::2e0:81ff: 0 -
4 -
-
Name Mtu Network Address Ipkts Ierrs
Opkts Oerrs
Coll
bge1 1500 00:e0:81:32:f4:53 0
0 0
0 0
bge1 1500 fe80:c::2e0:8 fe80:c::2e0:81ff: 0 -
4 -
-
Name Mtu Network Address Ipkts Ierrs
Opkts Oerrs
Coll
fec0* 1500 00:04:23:c1:0e:50 11
0 0
0 0
Name Mtu Network Address Ipkts Ierrs
Opkts Oerrs
Coll
em2 1500 00:04:23:c1:0e:50 41
0 5 0
0
em2 1500 fe80:5::204:2 fe80:5::204:23ff: 0 -
4 -
-
After sending 3 pings accross em2:
gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ;
netstat -I
em2
Name Mtu Network Address Ipkts Ierrs Opkts
Oerrs
Coll
bge0 1500 00:e0:81:32:f4:52 0
0 5 0
0
bge0 1500 fe80:b::2e0:8 fe80:b::2e0:81ff: 0 -
4 -
-
Name Mtu Network Address Ipkts Ierrs
Opkts Oerrs
Coll
bge1 1500 00:e0:81:32:f4:53 0
0 0
0 0
bge1 1500 fe80:c::2e0:8 fe80:c::2e0:81ff: 0 -
4 -
-
Name Mtu Network Address Ipkts Ierrs
Opkts Oerrs
Coll
fec0* 1500 00:04:23:c1:0e:50 15
0 0 0
0
Name Mtu Network Address Ipkts Ierrs
Opkts Oerrs
Coll
em2 1500 00:04:23:c1:0e:50 45 0
5 0
0
em2 1500 fe80:5::204:2 fe80:5::204:23ff: 0 -
4 -
-
Shawn Saunders _______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
