Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Two network questions

  1. #1
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default Two network questions

    Two questions:

    1) Given that I am on a switched network, is it possible to configure two computers one as a proxy/nat and the second as proxy/nat client ) such that when others on the network send packets to the client, they will use the client’s IP, however the traffic will go through the proxy first? Do I need to custom config my switch to forward traffic destined for my client’s IP to the proxy for this to work?

    2) For all those running IDS systems, which brand/model/make of network tap do you use/recommend?

    thnx

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by anubis2k7 View Post
    Two questions:

    1) Given that I am on a switched network, is it possible to configure two computers one as a proxy/nat and the second as proxy/nat client ) such that when others on the network send packets to the client, they will use the client’s IP, however the traffic will go through the proxy first? Do I need to custom config my switch to forward traffic destined for my client’s IP to the proxy for this to work?

    2) For all those running IDS systems, which brand/model/make of network tap do you use/recommend?

    thnx
    If you have a decent managed switch, then you should be able to configure Port Mirroring. Doing so you can monitor all traffic from the port you're mirroring. If you're just using dumb switches, then you'll have find another way.

    As for IDS Taps, there's instructions on making one, I believe right on Snort's website is where I found the instructions on making the one that I'm using. Otherwise, you're gonna have to give up your first born for a commercial one. I think the cheapest I found was $600, and the only reason they're so expensive is because they don't sell many of them.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    Quote Originally Posted by streaker69 View Post
    As for IDS Taps, there's instructions on making one, I believe right on Snort's website is where I found the instructions on making the one that I'm using.
    I have looked at this diagram of which you speak. http://www.snort.org/docs/tap/
    And I must say it is a little lame as far as schematics go. Would you care to expand on you'ren a little, maybe a pic? I know, I am an EET so I think I could make it work. However, my time is limited. It reminds me of a port tester in a way only better. In fig 2. there are four connectors, yet if I'm reading this right, 1 and 4 do not connect to 2 and 3? I s this right? These instructions really suck.
    Place the passive Ethernet tap inline between a host machine and the Ethernet switch using the two outside positions labeled "HOST".
    What is this saying? It doesnt match the diagram. I think next time you mention a piece of hardware you need to call the guys at snort ahead of time so they can post good schematics. And then post.
    <EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by PeppersGhost View Post
    I have looked at this diagram of which you speak. http://www.snort.org/docs/tap/
    And I must say it is a little lame as far as schematics go. Would you care to expand on you'ren a little, maybe a pic? I know, I am an EET so I think I could make it work. However, my time is limited. It reminds me of a port tester in a way only better. In fig 2. there are four connectors, yet if I'm reading this right, 1 and 4 do not connect to 2 and 3? I s this right? These instructions really suck.

    What is this saying? It doesnt match the diagram. I think next time you mention a piece of hardware you need to call the guys at snort ahead of time so they can post good schematics. And then post.
    Sorry, I cannot speak for the lameness of someone else's work. I followed it, plus I believe I googled for some other examples.

    Here's a couple of links that might help.

    http://forums.remote-exploit.org/sho...sive#post45737

    http://forums.remote-exploit.org/sho...74&postcount=4

    The first link we've discussed passive taps at length, so you should be able to figure something out from there. The second link is how I made mine.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Member
    Join Date
    Aug 2007
    Posts
    468

    Default

    Peppers,

    The setup is the same as the pre-made ones:





    http://www.blackbox.com/Catalog/Cate...id=151,154,991

    http://www.blackbox.com/files/productdetails/26541.pdf

    Quote Originally Posted by PeppersGhost View Post
    I have looked at this diagram of which you speak. http://www.snort.org/docs/tap/
    And I must say it is a little lame as far as schematics go. Would you care to expand on you'ren a little, maybe a pic? I know, I am an EET so I think I could make it work. However, my time is limited. It reminds me of a port tester in a way only better. In fig 2. there are four connectors, yet if I'm reading this right, 1 and 4 do not connect to 2 and 3? I s this right? These instructions really suck.

    What is this saying? It doesnt match the diagram. I think next time you mention a piece of hardware you need to call the guys at snort ahead of time so they can post good schematics. And then post.

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by BOFH139 View Post
    Peppers,

    The setup is the same as the pre-made ones:



    http://www.blackbox.com/Catalog/Cate...id=151,154,991
    ...and it's a bargain at $849.95, buy two they're small.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    Quote Originally Posted by PeppersGhost View Post
    Would you care to expand on you'ren a little, maybe a pic? I know, I am an EET so I think I could make it work. However, my time is limited.
    Lol.

    TBH I think its a good diagram, port 1 and four are wired up stragiht, and four wires make stop offs at extra points on port 2 and 3, simple.

    Question, the tut says 'Keep in mind that when you have a full-duplex Ethernet connection, Tap A will show half-duplex traffic and Tap B will show the remaining traffic', does this mean that you will only hear traffic going one way? or that you will only hear traffic one way at once?
    &#119;&#116;&#102;&#63;

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Andy90 View Post
    Lol.

    TBH I think its a good diagram, port 1 and four are wired up stragiht, and four wires make stop offs at extra points on port 2 and 3, simple.

    Question, the tut says 'Keep in mind that when you have a full-duplex Ethernet connection, Tap A will show half-duplex traffic and Tap B will show the remaining traffic', does this mean that you will only hear traffic going one way? or that you will only hear traffic one way at once?
    Correct.........
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by PeppersGhost View Post
    I have looked at this diagram of which you speak. http://www.snort.org/docs/tap/
    And I must say it is a little lame as far as schematics go. Would you care to expand on you'ren a little, maybe a pic? I know, I am an EET so I think I could make it work. However, my time is limited. It reminds me of a port tester in a way only better. In fig 2. there are four connectors, yet if I'm reading this right, 1 and 4 do not connect to 2 and 3? I s this right? These instructions really suck.

    What is this saying? It doesnt match the diagram. I think next time you mention a piece of hardware you need to call the guys at snort ahead of time so they can post good schematics. And then post.
    Thanks to Streaker and the diagram below, the process is very simple. You need 4 snap-in jacks, some spare ethernet, and some heat shrink. Wire it up as the diagram below shows:



    Keep in mind that the wires need to be twisted to a minimum of a half inch as stated by the category 5 standard.

    When all is assembled, you get something looking like this:



    You need two ethernet nics on the tap machine and they must be bonded (check your distro's documentation on how to do this... for B|T / Slackware / Slax, you need to compile ifenslave first [Google it]).

    Then you must create the bond by issuing the commands, something like:
    Code:
    modprobe bonding
    ifconfig eth0 promisc up
    ifconfig eth1 promisc up
    ifconfig bond0 promisc up
    ifenslave -e bond0 eth0 eth1
    Depending on the cards you have and the distro you're running this on, you may have to put the cards in half-duplex using the proper ifconfig mediaopt's if they aren't smart enough to figure out their state.

    Once you configure and bring up the bond interface, ifconfig -a will show a bond0 interface and eth1 and eth2 will be slaves and promisc (bond0 eth0 and eth2 will all show the same mac address as well).

    Plug in the traffic to the 'Traffic In' and route it from 'Traffic Out' to wherever the connection is to be routed to. If the machine, router, switch, etc can communicate normally with the tap in place, then you've wired it successfully (for the most part).

    The final test of it's proper wiring comes from plugging in the two remaining tap ports into the bonded ethernet cards and running either a quick:

    Code:
    tcpdump -i bond0
    or a Wireshark capture on the bond0 interface (if you see only half the traffic, i.e. the outgoing only, you may have to switch the tap cables around from on bonded card to the other).

    Reference the man pages for ifenslave for the proper commands / syntax for nic bonding.
    dd if=/dev/swc666 of=/dev/wyze

  10. #10
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    OK, lesson learned. I should have searched the forum FIRST. It is true the forum probably has the best info on this subject on the web. I will sit in the corner for 7 days.

    Streaker you’re unit looks really good. You guys blew my mind with this one. I ask for pics and you deliver more than I had expected. Pics and diagrams and more pics. Looks like I’m behind the times, to much work and not enough play. I will try harder to get up to speed. I must say this is without a doubt the best forum I’ve ever seen. Keep up the good work and thx guys.
    <EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •