IDS mailing list archives

RE: IDS Sensor operation

From: "Joshua Berry" <jberry () PENSON COM>
Date: Thu, 30 Sep 2004 14:41:16 -0500

The newer flexresp2 for snort and the reset stuff in SnortInline has the
ability to send packets out at layer 2, bypassing the need for an IP
address.

-----Original Message-----
From: Graeme Connell [mailto:gconnell () middlebury edu] 
Sent: Wednesday, September 29, 2004 8:42 AM
To: Vijai K (Infosec) - CTD, Chennai.
Cc: focus-ids () securityfocus com; Srinivasa Rao Addepalli
Subject: Re: IDS Sensor operation

An interface in promiscuous mode can still have an IP address.  Just run

  ifconfig <interface> promisc

and, voila!  A promiscuous interface.  It only means that it registers 
all packets that hit it.  So to answer your question:  An IPS can sniff 
traffic and send configuration information on the same interface.  Hope 
this helps.

       --Graeme Connell

Vijai K (Infosec) - CTD, Chennai. wrote:

Hi folks


Basically sensors operates with promiscuous mode interface  for

monitoring

data,rite
But there is an optionality in  an IDS to alert the firewall

(reconfigure)to

block the intrusion IP, and also to kill the session or connectionby

the

sensor itself.

this we see in Realsecure Network sensor 7.0 where there  is a option

called

RSKILL.

But the question is how is it possible for a interface in promiscuous

mode

to act like this since there is no binding in the

interface(TCP/IP,etc).


Did it uses other NIC which is for management purpose???

Hope u all understand the question



Regds
Vijai.K



DISCLAIMER 
This message and any attachment(s) contained here are information that

is

confidential, proprietary to HCL Technologies and its customers.

Contents

may be privileged or otherwise protected by law. The information is

solely

intended for the individual or the entity it is addressed to. If you

are not

the intended recipient of this message, you are not authorized to read,
forward, print, retain, copy or disseminate this message or any part of

it.

If you have received this e-mail in error, please notify the sender
immediately by return e-mail and delete it from your computer.



-----------------------------------------------------------------------

---

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from

CORE IMPACT.

Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.

-----------------------------------------------------------------------

---

 


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

IDS Sensor operation Vijai K (Infosec) - CTD, Chennai. (Sep 28)
- Re: IDS Sensor operation Graeme Connell (Sep 30)
- <Possible follow-ups>
- RE: IDS Sensor operation Wozny, Scott (US - New York) (Sep 28)
- RE: IDS Sensor operation Joshua Berry (Sep 30)