Using Advanced Capture Methods

Using Advanced Capture Methods

Previous sections described how various methods of capturing traffic work and how each feature is configured on different models of hardware. This section applies configuration tips from earlier to some common cases of IDS installation and also describes the specifics of using either standalone IDS or Catalyst IDS Modules.

We will assume that IDSMs are installed in slots 5 and 6 of the Catalyst 6000 switch, and that the VLANs to be monitored are numbered 100, 200, and so on. Regarding the IDSM, we are generally interested in monitoring only Web traffic using VACLs. For external IDS modules, we assume they are connected to ports 3/1, 3/2, and so on.

Capturing with One Sensor and a Single VLAN

Capturing using one sensor and a single VLAN is the simplest case and should be easy to configure. If you are using an external sensor, simply create a SPAN session, either local or remote, for the VLAN you want to monitor and forward all traffic to the port where the sensor is connected. The same configuration can be used with IDSM, setting port 1 of the IDS module card as the SPAN destination.

The simple local SPAN for a 2900 series switch can be configured in this way (see Figure 9.10):

Click To expand
Figure 9.10: Cisco 2900 Switch with One VLAN and One Sensor
!
interface FastEthernet3/1
port monitor FastEthernet0/1
port monitor FastEthernet0/2
port monitor FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/1
switchport access vlan 100
!
interface FastEthernet0/2
switchport access vlan 100
!
interface FastEthernet0/3
switchport access vlan 100
!

On a Catalyst (with CatOS), similar results can be achieved with just one command:

Switch (enable) set span 100 5/1 rx create

An IOS-based Catalyst requires the following:

Switch(config)# monitor session 1 source vlan 100 rx
Switch(config)# monitor session 1 destination interface Fa5/1

VACL-based capture can be configured as follows:

switch>(enable) set security acl ip WEBCAP permit tcp any any eq 80 capture

switch>(enable) set security acl ip WEBCAP permit tcp any eq 80 any capture
switch>(enable) commit security acl WEBCAP
switch>(enable) set security acl map WEBCAP 100
switch>(enable) set security acl capture-ports 5/1

VACLs can also be configured on an IOS-based Catalyst switch, as described earlier. It is also worth noting that you can use trunking configuration commands to filter traffic reaching the sensor port of an IDSM. This is more important when using several sensors monitoring multiple VLANs, because it helps distributing traffic. The monitoring interface of an IDSM is set as trunk by default. We will use the following commands to filter traffic from all VLANs but 100:

switch>(enable)clear trunk 5/1 1-1024
switch>(enable)set trunk 5/1 100
switch>(enable)set vlan 100 5/1

Capturing with One Sensor and Multiple VLANs

A more complex example includes one sensor monitoring several VLANs. This is not possible to configure on low-end switches, so we start with the 4000 series and up.

SET-based configuration of SPAN ports (either for external sensors or for IDSM) is straightforward:

Switch (enable) set span 100, 200 5/1 rx create

For IOS:

Switch(config)# monitor session 1 source vlan 100, 200 rx
Switch(config)# monitor session 1 destination interface Fa5/1

For VACL-based capturing of Web traffic only one extra line is needed compared to the previous example:

switch>(enable) set security acl ip WEBCAP permit tcp any any eq 80 capture

switch>(enable) set security acl ip WEBCAP permit tcp any eq 80 any capture
switch>(enable) commit security acl WEBCAP
switch>(enable) set security acl map WEBCAP 100, 200
switch>(enable) set security acl capture-ports 5/1

Trunking can be limited using a command set similar to the one before:

switch>(enable)clear trunk 5/1 1-1024
switch>(enable)set trunk 5/1 100, 200
switch>(enable)set vlan 100 5/1

However, in cases where only one IDSM is installed, there is not much use in modifying trunking because its monitoring port receives only traffic matched by a VACL on VLANs to which the access-list is applied.

Capturing with Multiple Sensors and Multiple VLANs

The generic case of multiple sensors capturing traffic from a number of VLANs can be very complex depending on the switch infrastructure. The simplest implementation is when there are many 2900-type switches, and sensors are connected to corresponding switches. In reality, this case is just a multiplied "one VLAN, one sensor" case.

Assume now that we have a Catalyst 6000 with two IDSMs installed and we need to capture VLANs 100 and 200 on the module in slot 5, and VLANs 300 and 400 on the module in slot 6. SPAN-based capture is again simpler to configure:

Switch (enable) set span 100, 200 5/1 rx create
Switch (enable) set span 300, 400 6/1 rx create

Traffic capture using VACLs is more complex in the configuration here, but it also produces the best results, as only interesting traffic is forwarded to monitoring ports of IDSMs:

switch>(enable) set security acl ip WEBCAP permit tcp any any eq 80 capture

switch>(enable) set security acl ip WEBCAP permit tcp any eq 80 any capture
switch>(enable) commit security acl WEBCAP
switch>(enable) set security acl map WEBCAP 100, 200, 300, 400
switch>(enable) set security acl capture-ports 5/1, 6/1

Now we have the same VACL for IP traffic applied to VLANS 100, 200, 300, and 400. Remember that there can be only one VACL for each type of traffic, and captured traffic is forwarded to all designated capture ports. In order to separate the traffic between two IDSMs, we need to set trunking on their monitoring ports:

switch>(enable)clear trunk 5/1 1-1024
switch>(enable)set trunk 5/1 100, 200
switch>(enable)set vlan 100 5/1
switch>(enable)clear trunk 6/1 1-1024
switch>(enable)set trunk 5/1 300, 400
switch>(enable)set vlan 300 5/1

After you have configured this, the configuration can be changed to the one in the "one VLAN, one sensor" case by simply filtering out VLAN 100—for example, on the corresponding trunk. Thus, you can configure capturing for many VLANs in advance and then filter already captured traffic before it reaches IDSM by using trunking commands (see Figure 9.11).

Click To expand
Figure 9.11: Traffic Capture, with Trunking as an Additional Filter