Re: Newbie IDS questions

From: Drew (simonis@myself.com)
Date: 01/10/02


Date: Thu, 10 Jan 2002 00:06:37 -0500
From: Drew <simonis@myself.com>
To: Mike Hrubes <MHrubes@wizmo.com>

Mike Hrubes wrote:
>
> Hi all,
>
> I'm new to the IDS world. I understand what an IDS does, and why you
> need it, but I have some questions on the technical aspect of IDS. We
> are planning on implementing an IDS in the near future. The idea that
> has been proposed is to put the IDS in the path between connections,
> rather than connected in promiscuous mode. The reason they want to do
> this is so they can also run a blocking software, like portsentry, to
> block unwanted scans, etc.

Isn't this the way that a Cisco router with IDS feature set installed
works? Personally, I don't like the idea of introducing more
complication into the network. Whereas running the IDS feature set
on a IOS device adds functionality to an existing network unit, this
solution brings us a new target. I much prefer using IDS in a silent
configuration in such a way that it cannot become a target to the
attacker.

I'm also not sure why running something like portsentry would preclude
you from using a promiscuous type IDS. Can you clarify?

-Ds



Relevant Pages

  • Re: Testing IDS with tcpreplay
    ... different things than with Metasploit or similar tools. ... I would argue that you are testing the IDS to figure out if it will be ... instance of the target then replay makes sense. ... Which is why you should capture the same exploit being used ...
    (Focus-IDS)
  • Evading IDS?
    ... I've come across what I assume is an IDS during some network reconnaissance. ... target class C in question without any problems, but when I run Nikto ... If I move to a different netblock, I can access the target class C again .. ...
    (Pen-Test)
  • RE: IDS Informer
    ... quickly answer you question we can target any ip address. ... on the same segment as the IDS without harming that machine. ... I was looking at the IDS Informer and noticed ... While the attack is happening we have a network ...
    (Focus-IDS)
  • Re: Two-Key Targeting Article
    ...   The paragraph explaining the target key makes it sound like ID ... implies that IDs can remain active though. ... If IDs are set to remain tied to specific monsters until their ...
    (rec.games.roguelike.development)
  • Re: Two-Key Targeting Article
    ... The paragraph explaining the target key makes it sound like ID ... implies that IDs can remain active though. ... If IDs are set to remain tied to specific monsters until their ... but you will find the whole point of assigning constant IDs ...
    (rec.games.roguelike.development)