On 11/08/2011 01:43 AM, Jonathan Loran wrote:
On Oct 24, 2011, at 10:54 AM, James Carlson wrote:
carlopmart wrote:
On 10/24/2011 07:08 PM, James Carlson wrote:
You didn't say how you're sniffing traffic. If you mean that you must
use an _external_ network monitoring device to do this, then the
existing built-in mechanism obviously won't be sufficient. That'd be a
fair reason to add a port mode flag that disables the normal MAC
filtering, though it's a little unclear why an external device would be
required or desired.
Sorry James, for not being properly explained. But yes, I need to use an
external monitoring device. I use an external server with a different
IDS/IPS sensors to process certain type of traffic. For example: exists
one Snort sensor to monitor ftp, smtp, tcp anomalies, etc. Another
Bro-IDS sensor to process ssl traffic. And another suricata sensor to
process http traffic only. All these three sensors are installed in one
server.
I see. One solution might be to get those "sensors" to run on the
OpenIndiana system. Then they could take advantage of the observability
interface to grab the traffic desired.
And it is a lab. not a production system ...
The other solutions I can think of (besides adding this feature to the
existing code or porting the applications) would be intentionally
breaking the bridge_learn() function in bridge.c so that it always
returns without updating the forwarding tables, or, alternatively, using
an external bridge that has this feature.
The latter would be extremely easy, but would cost more money. The
former is a bit hackish, but should do the job, and would be fairly easy
to do, provided you are able to build kernel modules.
Why not something like this:
mkfifo /tmp/spanout-pipe
tcpdump -i bridgename0 -s0 -w /tmp/spanout-pipe&
cat /tmp/spanout-pipe | ssh ids-system "snort-etc-capture"
You could replace cat | ssh with something spiffier, but perhaps less secure,
like nc or mbuffer.
Jon
It is not a bad idea, but requires a watchdog to control
ssh/nc/or_whatever is always up ... Best solution is to use daemonlogger ...
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
