Hi all, i am trying to configure and install a IDS in my work network. I have never dose this before so i have been having some trouble trying to trouble shoot it to see why i am not getting any alerts. I have built a passive tap as per this diagram.
But i don’t know if i have done something wrong. I connect a pc to one of the host ports and then connected the other to my switch (i though i would test it like this before i fully implement it) i tried to ping the gateway and all went fine. I then connect “TAP A” (1,2) to my IDS everything seemed fine, still able to ping. I then connected “TAP B” (3,6) and then i tried to ping the gateway again and then it was like i had no connection. Have i done something wrong? Or is this normal behaviour ?
When you use that type of Tap, then you'll actually need to have two Nics in the machine that's listening to the network one Nic for transmit and the other for receive.
Your passthru connection should work no matter what is plugged into the taps, but you'll only be able to get traffic on transmit or receive, not both with this design.
You could make a fullduplex tap, just by chaining another Cat5 jack in the middle of your passthru.
It is also very important that you do not have TCP/IP bound to the Nic that is listening in.
I think you got your wiremap wrong, off the top of my head you need to have green and blue or brown , iw ill look up the data later :)
That wiremap looks just like the one that's hosted on Snort's website for making passive taps. If it is then it's exact one that I followed when I made my own that works fine.
Originally Posted by compaq
I must have read the picture wrong, I just don't understand that orange and green , the ones in the centre of 568a or 568b can pass info on, I though you need a send and recive(full duplex), but half duplex might work, if any computers still use that.
I concur with ^^^ -- the diagram is right.
Originally Posted by streaker69
Just as streaker69 says, you need to have two nics for that setup for that design (I would up using some higher end Intel NICs after all was said/done).
Also correct is the passthru functionality: make sure works by plugging in a live connection on one HOST jack and run it to a machine on the other HOST jack.
To further test your wiring, you can also try to test for packet loss with the passthru - if your losing packets when its wired up, you may not have wired it to spec (I had this problem the first time mine was wired up).
Which distro is this running on?
I have 3 nic's in the machine. I use the on-board one to remotely access the machine, and i have added two more Nic's one for TAP A and the other for TAP B... I have rebuilt the tap 3 times, using different wires, and jacks and i keep getting the same thing.
Originally Posted by streaker69
and at the moment i don't even think the cards are enabled. only the one i use to remotely admin the IDS is up...
eth2 Link encap:Ethernet HWaddr 00:08:02:FA:F6:14
inet addr:10.0.0.204 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::208:2ff:fefa:f614/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34480 errors:0 dropped:0 overruns:0 frame:0
TX packets:7862 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:3379064 (3.2 MiB) TX bytes:6126080 (5.8 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:612 (612.0 b) TX bytes:612 (612.0 b)
snortIDS:~# ping 202.*.*.13
PING 220.127.116.11 (18.104.22.168) 56(84) bytes of data.
--- 22.214.171.124 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21003ms
any idea whats going on?
I connected a machine to one of the host jacks and connect my switch to the other jack.. and it worked fine... at the moment i am using debian as per this guide http://www.snort.org/docs/setup_guid...nort-howto.pdf i used debian as it is the distro i am most familiar with...
Originally Posted by wyze
Can you post pictures of your constructed tap? I've posted pictures of mine before that correctly followed TIA568B specifications. I'll see if I can find a link to my pictures.
Here's a couple of pics of my tap. I think if you read through this entire thread, you'll get some good pointers on making a tap.
If you notice streaker69's and my final one below (excuse the dust), you'll notice the heatshink, which really does make the diff.