Catch traffic from Lab network
I am doing some testing using the ARP spoofing of the Purple in simple mode. My issue is the way this is configured is the Purple does not see the Lab network. Is it possible to connect it in a way it would monitor traffic on both subnets?
-
Interesting. So you want both your purple and gold see the lab traffic?
I am actually thinking about similar things, but since I haven't set up anything yet, I don't know if it will work. :-)
EDIT: This probably doesn't work for you. In this scheme, even if the traffic technically goes through the Purple, since it doesn't allocate any of the IPs, I am not sure how functional it will be. I am not thinking of using another firewalla box for this.
-
We anticipate mostly dropping a Purple inline as some of our customers may have a different provider managing their existing Firewall.
But I would love to see if ingesting traffic from multiple networks is feasible. In this case the Purple would just be running ARP Spoof and collecting data to Zeek for another purpose.
Please sign in to leave a comment.
Comments
6 comments