[OpenIndiana-discuss] Configuring span ports on oi151

Jonathan Loran jloran at ssl.berkeley.edu
Tue Nov 8 00:43:12 UTC 2011 







On Oct 24, 2011, at 10:54 AM, James Carlson wrote:

> carlopmart wrote:
>> On 10/24/2011 07:08 PM, James Carlson wrote:
>>> You didn't say how you're sniffing traffic.  If you mean that you must
>>> use an _external_ network monitoring device to do this, then the
>>> existing built-in mechanism obviously won't be sufficient.  That'd be a
>>> fair reason to add a port mode flag that disables the normal MAC
>>> filtering, though it's a little unclear why an external device would be
>>> required or desired.
>>> 
>> 
>> Sorry James, for not being properly explained. But yes, I need to use an
>> external monitoring device. I use an external server with a different
>> IDS/IPS sensors to process certain type of traffic. For example: exists
>> one Snort sensor to monitor ftp, smtp, tcp anomalies, etc. Another
>> Bro-IDS sensor to process ssl traffic. And another suricata sensor to
>> process http traffic only. All these three sensors are installed in one
>> server.
> 
> I see.  One solution might be to get those "sensors" to run on the
> OpenIndiana system.  Then they could take advantage of the observability
> interface to grab the traffic desired.
> 
>> And it is a lab. not a production system ...
> 
> The other solutions I can think of (besides adding this feature to the
> existing code or porting the applications) would be intentionally
> breaking the bridge_learn() function in bridge.c so that it always
> returns without updating the forwarding tables, or, alternatively, using
> an external bridge that has this feature.
> 
> The latter would be extremely easy, but would cost more money.  The
> former is a bit hackish, but should do the job, and would be fairly easy
> to do, provided you are able to build kernel modules.
> 

Why not something like this:

mkfifo /tmp/spanout-pipe
tcpdump -i bridgename0 -s0 -w /tmp/spanout-pipe &
cat /tmp/spanout-pipe | ssh  ids-system "snort-etc-capture"

You could replace cat | ssh with something spiffier, but perhaps less secure, like nc or mbuffer.

Jon

-     _____/     _____/      /           - Jonathan Loran -           -
-    /          /           /                IT Officer               -
-  _____  /   _____  /     /     Space Sciences Laboratory, UC Berkeley
-        /          /     /                (510) 643-5146             -
- ______/    ______/    ______/        jloran at ssl.berkeley.edu        -

More information about the OpenIndiana-discuss mailing list