[OpenIndiana-discuss] Configuring span ports on oi151
carlopmart
carlopmart at gmail.com
Tue Nov 8 09:23:54 UTC 2011
On 11/08/2011 01:43 AM, Jonathan Loran wrote:
>
>
>
>
>
>
>
> On Oct 24, 2011, at 10:54 AM, James Carlson wrote:
>
>> carlopmart wrote:
>>> On 10/24/2011 07:08 PM, James Carlson wrote:
>>>> You didn't say how you're sniffing traffic. If you mean that you must
>>>> use an _external_ network monitoring device to do this, then the
>>>> existing built-in mechanism obviously won't be sufficient. That'd be a
>>>> fair reason to add a port mode flag that disables the normal MAC
>>>> filtering, though it's a little unclear why an external device would be
>>>> required or desired.
>>>>
>>>
>>> Sorry James, for not being properly explained. But yes, I need to use an
>>> external monitoring device. I use an external server with a different
>>> IDS/IPS sensors to process certain type of traffic. For example: exists
>>> one Snort sensor to monitor ftp, smtp, tcp anomalies, etc. Another
>>> Bro-IDS sensor to process ssl traffic. And another suricata sensor to
>>> process http traffic only. All these three sensors are installed in one
>>> server.
>>
>> I see. One solution might be to get those "sensors" to run on the
>> OpenIndiana system. Then they could take advantage of the observability
>> interface to grab the traffic desired.
>>
>>> And it is a lab. not a production system ...
>>
>> The other solutions I can think of (besides adding this feature to the
>> existing code or porting the applications) would be intentionally
>> breaking the bridge_learn() function in bridge.c so that it always
>> returns without updating the forwarding tables, or, alternatively, using
>> an external bridge that has this feature.
>>
>> The latter would be extremely easy, but would cost more money. The
>> former is a bit hackish, but should do the job, and would be fairly easy
>> to do, provided you are able to build kernel modules.
>>
>
> Why not something like this:
>
> mkfifo /tmp/spanout-pipe
> tcpdump -i bridgename0 -s0 -w /tmp/spanout-pipe&
> cat /tmp/spanout-pipe | ssh ids-system "snort-etc-capture"
>
> You could replace cat | ssh with something spiffier, but perhaps less secure, like nc or mbuffer.
>
> Jon
It is not a bad idea, but requires a watchdog to control
ssh/nc/or_whatever is always up ... Best solution is to use daemonlogger ...
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the OpenIndiana-discuss
mailing list