Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Frank Knobbe (FKnobbeKnobbeITS.com)
Date: Wed Dec 19 2001 - 21:01:42 CST
-----BEGIN PGP SIGNED MESSAGE-----
> -----Original Message-----
> From: Scott C. Kennedy [mailto:scks4r.com]
> Sent: Wednesday, December 19, 2001 1:22 PM
> Just an obvious note... Most (if not all) taps, will split off the
> transmit lines of the two machines. So, for a standard two port
> tap, you'll have port A, port B, tap A, tap B. The traffic going
> from A to B shows up on tap A, and the traffic going from B to A
> shows up on tap B.
does that include Shomiti and TopLayer taps?
> So, if you're doing any protcal analysis, like with an NFR or
> other IDS that
> need to follow the state of the connection, you'll need to
> buy a THG device
> to take those two ports and merge the traffic back together.
> you'd just see this..
> Attacker - SYN -> Target port 80
> Attacker - ACK -> Target port 80
> Attacker - HTTP 1.0 GET /etc/passwd -> Target Port 80
One tap I know of does not use only one direction of traffic :) My
favorite tap is a $30 4 port hub and a specially crimped Ethernet
cable that only 'reads' data. Since the hub will pass all traffic on
to the other ports, both directions are received by the IDS.
For example, to tap a connection between a router and a firewall,
plug the router into port 1 of the small hub. Port 2 goes to the
firewall. Port 3 connects with following cable to the IDS:
1 -----\ /-- 1
2 ---\ | \-- 2
3 ---+-*------ 3
4 - | - 4
5 - | - 5
6 ---*-------- 6
7 - - 7
8 - - 8
Basically, 1 and 2 on the IDS side are connected, 3 and 6
straight through to the Hub. 1 and 2 on the Hub side connect to 3
6 respectively. This fakes a link on both ends but only allows
traffic from the Hub to the IDS. It also causes the 'incoming'
traffic to be sent back to the Hub, so this cable only works well
a real hub. You can use it on a switch but you will get ...err...
interesting results. Since the switch receives the packets back in
the port it sent them out, the MAC table gets confused and after a
short while devices start to drop off the switch. Works like a
on a hub though.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.
-----END PGP SIGNATURE-----