Hi,

Just wondering....

Currently i'm redesigning an intrusion det= ection=20 system based on Snort / Linux (in this case Fedora Core 1).
Datastream i= s=20 tapped physically by means of single-mode fiber taps from a dual path link= =20 between router pairs.
By using intel single mode fiber cards and bundlin= g the=20 four tapped streams to one virtual interface with the intel drivers i recre= ate a=20 virtual mirror of the uplinks we are sampling. Works like a charm.
Howev= er,=20 the created datastream is needed for other measurements as well. What I wou= ld=20 like to do is to create a mirror port from the reassembled stream.
Norma= lly=20 you woud have one or more mirror ports on a switch/router but in this case = the=20 stream is only complete on the linux box.....
Also, as it is not a real= =20 stream a 100mb hub cannot be used as fanout (and this only as long as the= =20 aggregated load is below 100MB and is not a pure for ids use)

Looking for a solution to this I dug into = ebtables=20 / bridging and divert mechanisms currently available in the linux=20 kernels.
But I did not find a reference to a real mirror solution. Maybe= I'm=20 looking in the wrong place.
Looking at the functionality I think I need,= it=20 looks like the bridge module is my closest bet.
If the bridge forwards= =20 everything without keeping mac tables or sending/receiving arp messages I'm= in=20 business.....

So, my question:

Is it possible to adapt the bridge code so= it:
-=20 copies all incoming traffic from one interface (in promisc mode) to an othe= r,=20 regardless of mac address etc
- does not do any sending itself (no proxy= arp,=20 arp, broadcasts etc)
- prefferably works one way (a mirror should be rea= d=20 only)?
- This as low as can be in the kernel (so not all the way up to i= p/eb=20 tables or high in userspace)
In fact this looks like the bridge module= =20 without all the more refined stuff (keeping tables, proxying etc)

Example with the envisioned version of bridge module and brctl:

# sniffing / ids on eth1, want to copy all traffic to eth2 for others = to=20 use without needing access to the IDS environment.
# setup bridge
brc= tl=20 addbr <bridgename>
brctl addif eth1
brctl addif eth2
# set b= ridge=20 type to copy thus creating a mirror port
brctl mode <bridgename>= =20 copy
# set the copy direction from eth1 to eth2 (can only be in one=20 direction)
brctl setcopy <bridgename> in eth1
brctl setcopy=20 <bridgename> out eth2
# enjoy...

so:
mode command has options copy or bridge
setcopy out provide = the=20 option to copy several interfaces' incoming data to a single (or even multi= ple?)=20 interfaces.

currently I only see a solution like bridging, ebtables/divert replaci= ng=20 incoming macs with the mac of the sniffer attached to my semi mirror interf= ace,=20 blocking all arp traffic and this only works probably if you know all the m= ac=20 addresses on the link you are sampling (in my case I do because it's the fo= ur=20 mac addresses of the upstream and downstream routers).
Also, possible= =20 trouble comes from :
- I'm not sure that tools like d= ivert=20 etc work on a virutal interface like the one created when you bundle=20 interfaces.
- i/o speed, kernel resources etc
I sa= w=20 that I at least had to hack the divert.o code to remove the check on interf= ace=20 names starting with "eth" as the intel drivers do not allow a virutal inter= face=20 with a name like eth9...

Anyway,

I would appreciate your opinion on this or whether you know someone wo= rking=20 along the same lines...
I myself am not C savvy enough to rewrite the br= idge=20 module without additional input on this idea.

And then again, maybe it already exists.

Regards,

Rein van Koten

The Netherlands.

------=_NextPart_000_000B_01C41293.E7E7FF10--