OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: FWD: [snort] need Token Ring help
From: Jerry Shenk (jasdect.com)
Date: Sun Mar 12 2000 - 15:03:32 CST

tcpdump wasn't even decoding the packet...it was worthless. Snort was
actually close. The odd thing about it is that if the traffic has to be put
back on the wire (as it does when the default router sends the packets to
another router (cisco) that is on the same TR), then I can see both sides of
the transmission. I really think it's an upstream/downstream issue. I
tried overriding the MAC address on the Madge Token Ring card in the Linux
box in hopes of inserting into the ring at a different position and thereby
being able to collect the other half of the traffic.

If I had been successful at that test, then I would have stuck a 2nd NIC in
the linux box and manually overridden the MAC address on the 2nd NIC so that
I could collect traffic inbound to the mainframe on one snort session (snort
-i tr0 ....) and the outbound traffic on the NIC with the manually
administered address (snort -i tr1 ....) but it's not working as I had
hoped. Ya know, the only think that tells me that I did change the MAC
address was ifconfig....maybe the MAC address on the wire was still the
hardware MAC address. Anyway, the mainframe guy did an inbound traffic dump
on the mainframe and I did a full data dump on the firewall (that was
annoying to wade through...no filtering) and I grabbed what I could with
snort. We found that the TR NIC on the firewall was resetting about every 3
minutes......now I'm trying to figure out why it does that only when the
cisco is on the other side of the firewall.

I'll see if I can find the libpcap site and see if there's anything there
about this issue.

===== Original Message from Sten Kalenda <snortbofh.kyrnet.kg> at 3/12/00
1:58 pm
>Hi Jerry,
>
>Using TR I ran also in some problems.
>This occures using any libpcap based sniffer.
>Using IBM TR nic's a part of the MAC address was shifted into the IP
>field. The output was not very usefull. Long time ago I made some patching
>to libpcap and was able to get the IP address filed correctly.
>Can't find the source code any more :-(
>It should be some where on the net.
>
>Try tcpdump on TR.
>Is it working correctly? If not you have the same problem as I had.
>
>ciao,
>Sten Kalenda
>
>-----Original Message-----
>From: bounce+snortbofh.kyrnet.kg [mailto:bounce+snortbofh.kyrnet.kg]On
>Behalf Of Martin Roesch
>Sent: donderdag 9 maart 2000 22:53
>To: snortbofh.kyrnet.kg
>Subject: Re: [snort] need Token Ring help
>
>
>Hi Jerry,
> Well, the standard way to debug traffic "viewing" problems is to
>put Snort into straight sniffer mode (./snort -dv) and see if you're
>able to view the traffic you're interested in. If you can't, there
>could be a problem with a) the code b) your hardware c) your network
>configuration on that host. I tend to believe that the code is pretty
>solid (people are using it, no problems), so I'd suspect your
>configuration first.
> As I understand it (and you could write everything I know about
>Token Ring on the head of a pin with a magic marker), some TR cards have
>a tough time with going into promiscuous mode. Any idea if this is the
>case with the NIC you're using?
>
>--
>Martin Roesch <roeschhiverworld.com>
>Director of Forensic Systems http://www.hiverworld.com
>Hiverworld, Inc. Enterprise Network Security
>Network Forensics, Intrusion Detection and Risk Assessment

Jerry A. Shenk, MCNE (Netware 3, 4 & 5)
Sr. Systems Engineer - Computer Networking Services
D&E Communications, Inc.
jshenkdecommunications.com
1-877-433-8632 Fax via efax: (603) 250-1453
my website: www.dect.com/jas