Page 1 of 4 123 ... LastLast
Results 1 to 10 of 40

Thread: Passive tap?

  1. #1
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default Passive tap?

    Hi all, i am trying to configure and install a IDS in my work network. I have never dose this before so i have been having some trouble trying to trouble shoot it to see why i am not getting any alerts. I have built a passive tap as per this diagram.

    But i don’t know if i have done something wrong. I connect a pc to one of the host ports and then connected the other to my switch (i though i would test it like this before i fully implement it) i tried to ping the gateway and all went fine. I then connect “TAP A” (1,2) to my IDS everything seemed fine, still able to ping. I then connected “TAP B” (3,6) and then i tried to ping the gateway again and then it was like i had no connection. Have i done something wrong? Or is this normal behaviour ?

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    When you use that type of Tap, then you'll actually need to have two Nics in the machine that's listening to the network one Nic for transmit and the other for receive.

    Your passthru connection should work no matter what is plugged into the taps, but you'll only be able to get traffic on transmit or receive, not both with this design.

    You could make a fullduplex tap, just by chaining another Cat5 jack in the middle of your passthru.

    It is also very important that you do not have TCP/IP bound to the Nic that is listening in.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I think you got your wiremap wrong, off the top of my head you need to have green and blue or brown , iw ill look up the data later

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by compaq View Post
    I think you got your wiremap wrong, off the top of my head you need to have green and blue or brown , iw ill look up the data later
    That wiremap looks just like the one that's hosted on Snort's website for making passive taps. If it is then it's exact one that I followed when I made my own that works fine.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I must have read the picture wrong, I just don't understand that orange and green , the ones in the centre of 568a or 568b can pass info on, I though you need a send and recive(full duplex), but half duplex might work, if any computers still use that.

  6. #6
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by streaker69 View Post
    That wiremap looks just like the one that's hosted on Snort's website for making passive taps. If it is then it's exact one that I followed when I made my own that works fine.
    I concur with ^^^ -- the diagram is right.

    Just as streaker69 says, you need to have two nics for that setup for that design (I would up using some higher end Intel NICs after all was said/done).

    Also correct is the passthru functionality: make sure works by plugging in a live connection on one HOST jack and run it to a machine on the other HOST jack.

    To further test your wiring, you can also try to test for packet loss with the passthru - if your losing packets when its wired up, you may not have wired it to spec (I had this problem the first time mine was wired up).

    Which distro is this running on?
    dd if=/dev/swc666 of=/dev/wyze

  7. #7
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Quote Originally Posted by streaker69 View Post
    When you use that type of Tap, then you'll actually need to have two Nics in the machine that's listening to the network one Nic for transmit and the other for receive.

    Your passthru connection should work no matter what is plugged into the taps, but you'll only be able to get traffic on transmit or receive, not both with this design.

    You could make a fullduplex tap, just by chaining another Cat5 jack in the middle of your passthru.

    It is also very important that you do not have TCP/IP bound to the Nic that is listening in.
    I have 3 nic's in the machine. I use the on-board one to remotely access the machine, and i have added two more Nic's one for TAP A and the other for TAP B... I have rebuilt the tap 3 times, using different wires, and jacks and i keep getting the same thing.

    and at the moment i don't even think the cards are enabled. only the one i use to remotely admin the IDS is up...
    Code:
    snortIDS:~# ifconfig
    eth2      Link encap:Ethernet  HWaddr 00:08:02:FA:F6:14
              inet addr:10.0.0.204  Bcast:10.0.0.255  Mask:255.255.255.0
              inet6 addr: fe80::208:2ff:fefa:f614/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:34480 errors:0 dropped:0 overruns:0 frame:0
              TX packets:7862 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:3379064 (3.2 MiB)  TX bytes:6126080 (5.8 MiB)
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:9 errors:0 dropped:0 overruns:0 frame:0
              TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:612 (612.0 b)  TX bytes:612 (612.0 b)
    
    snortIDS:~# ping 202.*.*.13
    PING 202.92.98.13 (202.92.98.13) 56(84) bytes of data.
    
    --- 202.92.98.13 ping statistics ---
    22 packets transmitted, 0 received, 100% packet loss, time 21003ms

    any idea whats going on?

  8. #8
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Quote Originally Posted by wyze View Post
    I concur with ^^^ -- the diagram is right.

    Just as streaker69 says, you need to have two nics for that setup for that design (I would up using some higher end Intel NICs after all was said/done).

    Also correct is the passthru functionality: make sure works by plugging in a live connection on one HOST jack and run it to a machine on the other HOST jack.

    To further test your wiring, you can also try to test for packet loss with the passthru - if your losing packets when its wired up, you may not have wired it to spec (I had this problem the first time mine was wired up).

    Which distro is this running on?
    I connected a machine to one of the host jacks and connect my switch to the other jack.. and it worked fine... at the moment i am using debian as per this guide http://www.snort.org/docs/setup_guid...nort-howto.pdf i used debian as it is the distro i am most familiar with...

  9. #9
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Can you post pictures of your constructed tap? I've posted pictures of mine before that correctly followed TIA568B specifications. I'll see if I can find a link to my pictures.

    http://forums.remote-exploit.org/sho...sive#post45995

    Here's a couple of pics of my tap. I think if you read through this entire thread, you'll get some good pointers on making a tap.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #10
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    If you notice streaker69's and my final one below (excuse the dust), you'll notice the heatshink, which really does make the diff.

    dd if=/dev/swc666 of=/dev/wyze

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •