Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Remote IDS Testing - Config question

from [Hank . Schupp] Network Security [Permanent Link]
Subject: RE: Remote IDS Testing - Config question
Date: 21 Dec 2005 20:15:05 -0000 
I have had some luck with getting this 'system' built but have not successfully 
captured fragmented traffic.  I am tyring to create a system that fragments any 
traffic passing across a linux machine set up as a router. As a result I have 
created the following network: 

a) Dual NIC system running Knoppix Auditor.
   eth0 connected through hub to router-'internet'(10.x.x.x).
   eth1 (172.16.2.1) connected via x-over to "internal" (172.16.2.2) PC
   Knoppix set up as router to internet.

b) Internal (Client) PC running Windows - or - Linux

c) 3rd machine running Ethereal captures off the eth0 hub.

With no fragmentation involved I can reach the web server on the 'internet' 
side with no problem.  When I run Fragrouter I see the fragments being 
generated in the console window and the client machine experiences a definite 
impact as a result.  However, ethereal captures from the client, the eth1 hub, 
and on the knoppix box itself do not list any IP FRAGMENTS - I see lots of 
retrans and lost packets but nothing that indicates that ethereal was seeing 
fragmented packets.  It 'has' been a while since I had to work at the packet 
level but I thought I remembered ethereal listing such traffic as "IP 
FRAGMENT".  Go ahead and "Learn me" something if I am mistaken please!

The only thing I notice is that when I run "fragrouter -i eth1 -F2" I can see 
the fragmentation listed in console but if I use "fragrouter -i eth0 -F2" 
nothing happens.  I would think that I should want to fragment traffic going 
through eth0 if I want to pick it up off the hub ... I can guess that the 
problem lies in my routing configuration on the knoppix (auditor) machine but 
can't think of what to change to make it work.  Any thoughts?

Hank

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Remote IDS Testing - Config question, Hank . Schupp <=
Previous by Date:  Re: Denial of Service: Commercial Defense products, snort user
Next by Date:  Re: on TASL correlation rules, Anton Chuvakin
Previous by Thread:  tired of "what is the best IDS/IPS system?" questions, Tom Van de Wiele
Next by Thread:  challenges in capturing Gigabit ethernet, Siddharth Phadnis
Indexes:  [Date] [Thread] [Top] [All Lists]