I use the following script to team two NICs in my IDS, running on FreeBSD 5.0. This is a combination of work I found on BSDVault and an email on the Snort-users distro. It’s necessary to note that I did exactly what they said to do at the BSDVault and it didn’t work for me. However, I listed them as a reference because their site did a decent job of laying out the “why’s and wherefore’s.” The Snort-users email actually got me up and running.

My IDS has three NICs: Two plug into the hardware tap and one is for management. The management NIC has an IP and the other two NICs don’t.

What the script does is, using netgraph, enables one NIC to receive all packets (promiscuous mode, or ‘hoe mode’ as I call it). It passes all packets to the other interface (xl0 in my case). I then tell Snort to listen on xl0 and bam, I hear the whole conversation.

The Snort-users email instructs you to listen with two interfaces and pass the packets to a third interface. Personally I don’t see the need, but I could be missing something.

#!/bin/sh

# Configure NICs as UP and load kernel modules

ifconfig xl0 up

ifconfig xl1 up

kldload /boot/kernel/ng_ether.ko

kldload /boot/kernel/ng_one2many.ko

# Plumb nodes together

ngctl mkpeer xl0: one2many lower one

ngctl connect xl1: xl0:lower lower many0

# put xl1 in hoe mode

ngctl msg xl1: setpromisc 1

ngctl msg xl1: setautosrc 0

# Do some Voodoo

ngctl msg xl0:lower setconfig “{ xmitAlg=1 failAlg=1 enabledLinks=[ 1 1 ] }”

For more information about this topic

• No Related Post