IDS mailing list archives
RE: IDS Sensor operation
From: "Joshua Berry" <jberry () PENSON COM>
Date: Thu, 30 Sep 2004 14:41:16 -0500
The newer flexresp2 for snort and the reset stuff in SnortInline has the ability to send packets out at layer 2, bypassing the need for an IP address. -----Original Message----- From: Graeme Connell [mailto:gconnell () middlebury edu] Sent: Wednesday, September 29, 2004 8:42 AM To: Vijai K (Infosec) - CTD, Chennai. Cc: focus-ids () securityfocus com; Srinivasa Rao Addepalli Subject: Re: IDS Sensor operation An interface in promiscuous mode can still have an IP address. Just run ifconfig <interface> promisc and, voila! A promiscuous interface. It only means that it registers all packets that hit it. So to answer your question: An IPS can sniff traffic and send configuration information on the same interface. Hope this helps. --Graeme Connell Vijai K (Infosec) - CTD, Chennai. wrote:
Hi folks Basically sensors operates with promiscuous mode interface for
monitoring
data,rite But there is an optionality in an IDS to alert the firewall
(reconfigure)to
block the intrusion IP, and also to kill the session or connectionby
the
sensor itself. this we see in Realsecure Network sensor 7.0 where there is a option
called
RSKILL. But the question is how is it possible for a interface in promiscuous
mode
to act like this since there is no binding in the
interface(TCP/IP,etc).
Did it uses other NIC which is for management purpose??? Hope u all understand the question Regds Vijai.K DISCLAIMER This message and any attachment(s) contained here are information that
is
confidential, proprietary to HCL Technologies and its customers.
Contents
may be privileged or otherwise protected by law. The information is
solely
intended for the individual or the entity it is addressed to. If you
are not
the intended recipient of this message, you are not authorized to read, forward, print, retain, copy or disseminate this message or any part of
it.
If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete it from your computer. -----------------------------------------------------------------------
---
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
-----------------------------------------------------------------------
---
------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS Sensor operation Vijai K (Infosec) - CTD, Chennai. (Sep 28)
- Re: IDS Sensor operation Graeme Connell (Sep 30)
- <Possible follow-ups>
- RE: IDS Sensor operation Wozny, Scott (US - New York) (Sep 28)
- RE: IDS Sensor operation Joshua Berry (Sep 30)