IDS mailing list archives
RE: IDS Sensor operation
From: "Joseph Hamm" <jhamm () lancope com>
Date: Wed, 29 Sep 2004 11:40:20 -0400
Vijai, Two links you should check out from the ISS Knowledgebase: Why do I have to select an Adapter for Kills? https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_sid=r CTgkImh&p_lva=&p_faqid=1026&p_created=1022780331&p_sp=cF9zcmNoPTEmcF9ncm lkc29ydD0mcF9yb3dfY250PTYmcF9zZWFyY2hfdGV4dD1yc2tpbGwmcF9zZWFyY2hfdHlwZT 0zJnBfcHJvZF9sdmwxPX5hbnl_JnBfcHJvZF9sdmwyPX5hbnl_JnBfY2F0X2x2bDE9fmFueX 4mcF9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li= and How does a RealSecure Kill (RSKill) work? https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_sid=r CTgkImh&p_lva=&p_faqid=96&p_created=976872224&p_sp=cF9zcmNoPTEmcF9ncmlkc 29ydD0mcF9yb3dfY250PTYmcF9zZWFyY2hfdGV4dD1yc2tpbGwmcF9zZWFyY2hfdHlwZT0zJ nBfcHJvZF9sdmwxPX5hbnl_JnBfcHJvZF9sdmwyPX5hbnl_JnBfY2F0X2x2bDE9fmFueX4mc F9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li= The funny thing about TCP resets is that sometimes they work and sometimes they don't (at least in my experience). With any type of mitigation response there are pros and cons. On the upside, you don't have to reconfigure one of your network devices to kill the connection. On the downside, they aren't always reliable. It might be the case that this is the only option if there is no network device between the two hosts. Of course, that is where blocking at the switch port comes in......which has its own issues;) Hope this helps, Joe Joe Hamm, CISSP Security Engineer Lancope, Inc. jhamm () lancope com 404.644.7227 (cell) 770.225.6509 (fax) Lancope - Security through Network Intelligence(tm) StealthWatch(tm) by Lancope, a next-generation network security solution, delivers behavior-based intrusion detection, policy enforcement and insightful network analysis. Visit www.lancope.com. Join Lancope for a complimentary Webinar "Exclusive Preview of StealthWatch System v 4.2" at 11 AM EDT on Wednesday, October 27, 2004. Register today at https://lancope.webex.com/lancope/onstage/g.php?d=752017377&t=a. -----Original Message----- From: Vijai K (Infosec) - CTD, Chennai. [mailto:vijaik () ctd hcltech com] Sent: Friday, September 24, 2004 2:36 AM To: focus-ids () securityfocus com; Srinivasa Rao Addepalli Subject: IDS Sensor operation Hi folks Basically sensors operates with promiscuous mode interface for monitoring data,rite But there is an optionality in an IDS to alert the firewall (reconfigure)to block the intrusion IP, and also to kill the session or connectionby the sensor itself. this we see in Realsecure Network sensor 7.0 where there is a option called RSKILL. But the question is how is it possible for a interface in promiscuous mode to act like this since there is no binding in the interface(TCP/IP,etc). Did it uses other NIC which is for management purpose??? Hope u all understand the question Regds Vijai.K DISCLAIMER This message and any attachment(s) contained here are information that is confidential, proprietary to HCL Technologies and its customers. Contents may be privileged or otherwise protected by law. The information is solely intended for the individual or the entity it is addressed to. If you are not the intended recipient of this message, you are not authorized to read, forward, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete it from your computer. ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: IDS Sensor operation Joseph Hamm (Sep 30)