IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrushield vs. ISS once more...

From: Jason <security () brvenik com>
Date: Wed, 05 Jan 2005 21:58:32 -0500


Chris Brown wrote:

I have been trialling Intrushield and it logs and displays packet info
just fine, have you installed Ethereal and pointed Intrushield to it's
location?  Also Intrushield tells you what sig it has fired on in the
alert viewer.......
I assume you mean you have to use ethereal to get at packets for events. How do you "point" intrushield to Ethereal?
1) Does it rewrite the destination and retransmit the packets to some destination?
2) Do you designate a physical port in the intrushield appliance to make the packets available on that you would then capture using ethereal?
If it is #2 how do you perform analysis if you do not have physical access to the system? 

If it is #1 what good is a packet that has been rewritten?
If it is either would any of the vulnerabilities in Ethereal be retransmitted to the analysis station? What about vulnerabilities in the analysis platform itself? If you block a "Ping of Death"" would that PoD take out the analysis system upon analysis? UPnP Broadcast? MSSQL Discovery? ...
If it is none of these please clarify what you mean. Unfortunately I've never sat in front of an intrushield and do not have one available to me to play with or I would just go get the answers. 


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: