Re: Capturing NID traffic with CISCO

Craig,

Which version of NFR are you running? We are a very stateful IDS, so you are correct, that it's important for us to see both sides of the traffic. Our NID-315 and 320 series come with multiple sniffing interfaces, which should allow you to configure SPAN ports from both sides, and pump that data directly into the NID, allowing us to re-assemble that traffic correctly.

Attached is a .gif file that diagrams this setup.

Of course, if your A and B side are not near eachother, getting the SPAN'ed data to us might be difficult. :)

If you have any more questions, let me know.

-dave

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

"Craig M. Taylor" wrote:
>
> Folks,

-- 
David W. Goodrum
Senior Systems Engineer
NFR Security
Mobile: 703.731.3765
Office: 240.747.3425