Cisco SPAN port – Examples and Usages

November 23, 2011 / posted in Cisco / 2 Comments

One of the many useful features that Cisco provides in its switching technology is the Switched Port ANalyzer (SPAN). It allows you to mirror traffic from a target port, set of ports, VLAN or set of VLANs to another port or VLAN. This is useful for several reasons.

First, security. As a SPAN port allows you to view traffic running through your switch, you can monitor said traffic for violations and threats. The classic example is attaching a sniffer/IDS to the span port of the switch closest to your egress point. In the example below, you’ll want to monitor the trunk port (FE0/24) that connects the switch the edge router.

Second, performance monitoring. You can use the span port in conjunction with something like TCPDump or Wireshark to monitor the packets running across the network. You can thereby see if you duplicate or unexpected traffic, errors and other potential issues inside the network. You can also utilize certain software tools which monitor packets and generate traffic/packet statistics (such as NTOP).

Finally, troubleshooting. You can use the SPAN port to troubleshoot network issues. If you’re trying to ensure that multicast traffic traverses your switch, you can monitor the SPAN port with TCPDump/Wireshark to see if the traffic goes through. While you can do the same with debug commands on the routers, sometimes it’s valuable to see the traffic as it comes across the switch directly.

That’s it for a quick intro. I’ll post more example diagrams and the configs later.

Example 1: Basic setup. Monitoring a single port on the same VLAN.
Switch Type: Cisco 3750 running 12.2(35)SE5
Target port: FastEthernet1/0/18
Monitoring Port: FastEthernet1/0/8

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#monitor session 1 source interface fastethernet1/0/18
Switch(config)#monitor session 1 destination interface fastethernet1/0/8
Switch(config)#end
Switch#show monitor session 1
Session 1
———
Type : Local Session
Source Ports :
Both : Fa1/0/18
Destination Ports : Fa1/0/8
Encapsulation : Native
Ingress : Disabled

Switch#sh int fa1/0/8
FastEthernet1/0/8 is up, line protocol is down (monitoring)
Hardware is Fast Ethernet, address is 001f.6c6b.0f0a (bia 001f.6c6b.0f0a)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:23, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 11000 bits/sec, 5 packets/sec
1210 packets input, 119091 bytes, 0 no buffer
Received 762 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
(SNIP)

To test this, fire up Wireshark on your monitoring computer. You should be able to monitor packets from your target at this point. As you can see in the screenshot below, I pinged 1.2.3.4 and 5.6.7.8; Wireshark picked up these packets (among others) on the monitoring computer.

Remote Code Exploit – Windows 7 *is* vulnerable

November 12, 2011 / posted in Uncategorized / 1 Comment

MS Security Bulletin MS11-083

A remote code execution vulnerability exists in the Windows TCP/IP stack due to the processing of a continuous flow of specially crafted UDP packets. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Bad news.

Stuxnet, v1.5: DuQu

October 25, 2011 / posted in Uncategorized / No Comments

Symantec has a good write-up of some malware which uses the Stuxnet ‘engine’, available here. There’s a more detailed white paper here.

In a nutshell:
– Incorporates the same source code as Stuxnet, but with a different payload
– Could have existed as early as late 2010
– Captures keystrokes and system info, among others
– Mainly targeted at manufacturers of Industrial Control Systems
– Used a stolen valid driver signing cert (which has since been revoked)

Cisco Auto-MDIX feature

October 22, 2011 / posted in Uncategorized / No Comments

One of the nice features Cisco includes in most, if not all, of their switches is auto-MDIX. Auto-MDIX (which stands for automatic medium-dependent interface crossover), allows you to use cross-over cables where you would have to use a straight-through, and vice versa. The switch detects the cable type and reverses its own TX/RX pair to match.

The most common way to enable this feature is found below:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# mdix auto
Switch(config-if)# end
Switch#

The switch configuration guides for the three models can be found below.

2940
2970
3750

You can find additional configuration guides here. Pull the guide for your specific switch and IOS version to find the exact command; the auto mdix command appears to be universal for most access switches, however.

Enabling SNMP on a Cisco Router

October 21, 2011 / posted in Uncategorized / No Comments

A great monitoring feature that should be enabled on your Network Infrastructure is SNMP. I use it mainly to pull traffic stats from my interfaces, but you can use it in more advanced cases to send information to your monitoring system when certain events happen.

To enable a simple community and activate the SNMP Server on a Cisco router, enter the following:

Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#sn
Router(config)#snmp-server com
Router(config)#snmp-server community SNMP_RO_COMMUNITY ro
%SNMP-5-WARMSTART: SNMP agent on host Router is undergoing a warm start
Router(config)#exit
Router#

You can then verify that the SNMP server is operational by executing:

Router#sh snmp

If the server is up and responding to SNMP requests, you should see the SNMP Packets Input counter increment at the same rate as your SNMP Packets Output counter.

Sample output from a 3825 and a 7206vxr is below.

3825#sh snmp
Chassis: XXXXXXXXXX
154994 SNMP packets input
0 Bad SNMP version errors
12 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
154002 Number of requested variables
0 Number of altered variables
135469 Get-request PDUs
19513 Get-next PDUs
0 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
154982 SNMP packets output
0 Too big errors (Maximum packet size 1500)
980 No such name errors
0 Bad values errors
0 General errors
154982 Response PDUs
0 Trap PDUs
SNMP Dispatcher:
queue 0/75 (current/max), 0 dropped
SNMP Engine:
queue 0/1000 (current/max), 0 dropped

SNMP logging: disabled
3825#

7206vxr#sh snmp
Chassis: xxxxxxxxxxxxx
10044977 SNMP packets input
0 Bad SNMP version errors
8 Unknown community name
4 Illegal operation for community name supplied
0 Encoding errors
17715858 Number of requested variables
0 Number of altered variables
5504338 Get-request PDUs
4437461 Get-next PDUs
0 Set-request PDUs
10063141 SNMP packets output
0 Too big errors (Maximum packet size 1500)
4 No such name errors
0 Bad values errors
0 General errors
10044969 Response PDUs
18172 Trap PDUs

SNMP logging: enabled
Logging to xxxxxxxx, 0/10, 17954 sent, 218 dropped.

Apache DOS Problem

August 24, 2011 / posted in Uncategorized / No Comments

Awesome new remote DOS against Apache servers floating in the wild.

Full Disclosure Post

This thing is wicked. It exploits a bad handling of the byte-range response in httpd servers, and causes them to hang, requiring intervention to kill and restart the process. Spiderlabs has a more complete write-up.

Spiderlabs Entry

Here’s the Apache advisory:

Advisory CVE-2011-3192

Password Rules

August 15, 2011 / posted in Uncategorized / No Comments

XKCD had a great one the other day about password rules.

IBM Developer Library Pwnage

January 10, 2011 / posted in Hacks / No Comments

Looks like the IBM developer library got cracked earlier today by Hmei7. 

There’s more info on their past works at Zone-H.

The unlearned lesson in the Wikileaks scandal

January 4, 2011 / posted in Wikileaks / No Comments

There’s a major lesson that I haven’t seen anyone talk about.

That is…stop being so damn secretive! I’ve looked over a few of the cables, and have tried to keep up with the news as much as possible. There’s no reason any of the ones I’ve heard about should have been classified. In fact, some of the more scandalous ones we, the public, HAVE to know about.

For example…most people suspected that the ChiCom government was behind the attack on Google. Turns out, there appears to be some hard evidence backing that suspicion. What, we, the People, don’t deserve to know when a foreign government launches an attack (cyber or otherwise) on an American company?

Take the one dealing with the nuclear material in Qadafi’s hands. It appears that Lybia is starting to come around, in some respects. Libia wants our trade money, but is going to dick around with transfering nuclear stockpiles out of the country for some trade concessions?

This is NEWS. This is the precisely the stuff that we, the Citizens, need to know about…not who won Dancing with the Stars, nor that Arnold got a parking ticket.

Take a lesson from the Open Source community. There are some secrets, but the entire foundation is based on openness. I think having the ability to collaborate with people working on similar projects can be an invaluable asset to any technology professional. If you build the technology right, if you design secure systems from the ground up, and if you continually strive to improve them, you have nothing to fear from having your systems exposed.

WordPress FTP not working from the Dashboard

December 31, 2010 / posted in Firewalls, FTP, IPTables, lo, Wordpress / No Comments

I’ve been having an issue, since I installed WordPress, where I wasn’t able to update or install new plugins from the Dashboard. It finally worked after I turned off IPTables.

Obviously…this isn’t a good solution. So after about an hour of research and digging around, I found the problem.

When WordPress tries to initiate the FTP connection, it does NOT do so from the outside. It does so from the INSIDE. More specifically, especially on my server, it used the lo interface.

So I had to add the following to my IPTables script:

$IPT -A INPUT -p tcp -i lo -s [IPADDRESSOFSERVER] –dport 21 -j LOG –log-level 7 –log-prefix “Int lo: ”
$IPT -A INPUT -p tcp -i lo -s [IPADDRESSOFSERVER] –dport 21 -j ACCEPT

Voila, it works perfectly, just as expected.

« Older Posts