IDS Sensor operation

From: Vijai K (Infosec) - CTD, Chennai. (vijaik_at_ctd.hcltech.com)
Date: 09/24/04

  • Next message: Ravi Kumar: "Re: definition for Inline IDS/IPS" 
    To: <focus-ids@securityfocus.com>, "Srinivasa Rao Addepalli" <srao@intoto.com>
Date: Fri, 24 Sep 2004 12:06:21 +0530

    Hi folks

     
    Basically sensors operates with promiscuous mode interface for monitoring
    data,rite
    But there is an optionality in an IDS to alert the firewall (reconfigure)to
    block the intrusion IP, and also to kill the session or connectionby the
    sensor itself.

    this we see in Realsecure Network sensor 7.0 where there is a option called
    RSKILL.

    But the question is how is it possible for a interface in promiscuous mode
    to act like this since there is no binding in the interface(TCP/IP,etc).

    Did it uses other NIC which is for management purpose???

    Hope u all understand the question

    Regds
    Vijai.K

    DISCLAIMER
    This message and any attachment(s) contained here are information that is
    confidential, proprietary to HCL Technologies and its customers. Contents
    may be privileged or otherwise protected by law. The information is solely
    intended for the individual or the entity it is addressed to. If you are not
    the intended recipient of this message, you are not authorized to read,
    forward, print, retain, copy or disseminate this message or any part of it.
    If you have received this e-mail in error, please notify the sender
    immediately by return e-mail and delete it from your computer.

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Ravi Kumar: "Re: definition for Inline IDS/IPS"

    Relevant Pages

    • RE: high-speed NIDS (>1.7GBit/sec traffic) required.
      ... then go with the Cisco IDS blade. ... You could use an IDS load balancer that spreads the traffic to many highly ... tuned small snort IDS sensors, then carve up the rulesets (3 or 4 per ... Sensor 1 does IIS, ...
      (Focus-IDS)
    • RE: can tripwire be used for sensor integrity???
      ... We have lots of users who use IDS Informer in this way to ensure that the $$ ... not caught out by a sensor going off line without knowing. ... tripwire does not detect LKM trojans or tampering. ... of kernel integrity protection. ...
      (Focus-IDS)
    • RE: NIDS
      ... The following link is a gold mine on all things IDS (at least in my ... Hands down snort is probably the most famous intrusion detection system. ... I think it is a good idea to place a sensor ... I am looking for information on deployment scenarios. ...
      (Security-Basics)
    • RE: High availability design of NIDS
      ... IDS traffic would automatically be load-balanced to your sensors. ... hardware or software issue caused a sensor to fail, ... High availability design of NIDS ... can listen to all traffics in the network). ...
      (Focus-IDS)