RE: IDS Sensor operation

From: Wozny, Scott (US - New York) (swozny_at_deloitte.com)
Date: 09/28/04

  • Next message: Dominique Karg: "Re: free hIDS, or system assessment tools" 
    Date: Tue, 28 Sep 2004 12:58:34 -0400
To: "Vijai K (Infosec) - CTD, Chennai." <vijaik@ctd.hcltech.com>, <focus-ids@securityfocus.com>

    It's dependant on vendor implementation. I've seen both.

    The snipes or rewrites that come through the sniffing interface have to
    be built from the ground up. Just because an interface has been put
    into promiscuous mode doesn't mean you can't push data out of it. The
    trick is that it doesn't work with most line taps and it only works with
    mirror ports on switches that support bidirectional traffic when in
    mirror mode (a lot of switches (and even specific firmware revisions
    within switches) put the port into a state where inbound traffic is
    ignored when mirrored traffic is being sent out of it). This also,
    usually, only works for active responses that only require one packet
    (i.e. tough to complete a handshake when you don't have an IP bound to
    the NIC).

    For more complicated responses (like a firewall rule rewrite) generally
    a TCP session has to be established to carry this out which involves the
    IDS and the firewall being able to find each other. If you have the
    money and you're a stickler about keeping the management interface for
    management only, go with a vendor that allows you to specify which
    interface the response traffic is going to come from. For the added
    complexity, I don't think it's worth the hassle.

    I usually don't recommend active automated response anyway as it can be
    a good way to DoS yourself, but this is what I've seen in the market.

    Good luck,

    Scott

    -----Original Message-----
    From: Vijai K (Infosec) - CTD, Chennai. [mailto:vijaik@ctd.hcltech.com]
    Sent: Friday, September 24, 2004 2:36 AM
    To: focus-ids@securityfocus.com; Srinivasa Rao Addepalli
    Subject: IDS Sensor operation

    Hi folks

     
    Basically sensors operates with promiscuous mode interface for
    monitoring
    data,rite
    But there is an optionality in an IDS to alert the firewall
    (reconfigure)to
    block the intrusion IP, and also to kill the session or connectionby the
    sensor itself.

    this we see in Realsecure Network sensor 7.0 where there is a option
    called
    RSKILL.

    But the question is how is it possible for a interface in promiscuous
    mode
    to act like this since there is no binding in the interface(TCP/IP,etc).

    Did it uses other NIC which is for management purpose???

    Hope u all understand the question

    Regds
    Vijai.K

    DISCLAIMER
    This message and any attachment(s) contained here are information that
    is
    confidential, proprietary to HCL Technologies and its customers.
    Contents
    may be privileged or otherwise protected by law. The information is
    solely
    intended for the individual or the entity it is addressed to. If you are
    not
    the intended recipient of this message, you are not authorized to read,
    forward, print, retain, copy or disseminate this message or any part of
    it.
    If you have received this e-mail in error, please notify the sender
    immediately by return e-mail and delete it from your computer.

    ------------------------------------------------------------------------ 

    --
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
  • Next message: Dominique Karg: "Re: free hIDS, or system assessment tools"

    Relevant Pages

    • RE: Intrusion Prevention requirements document
      ... The tools consider one interface as "client" and other ... Packet 1 is first sent out on client interface. ... > The product uses two network cards and so the library of over 700 ... > my previous company was Blade Software where I developed IDS Informer ...
      (Focus-IDS)
    • Re: breaking change in uuid attribute?
      ... >> why attribute provider fell back on IDispatchImpl. ... dual, helpstring("IBlah Interface"), ... class ATL_NO_VTABLE NWCSession: ... Try having _all_ methods with defined IDs. ...
      (microsoft.public.vc.atl)
    • Re: Theory Question
      ... Your IDS is listening to the unprotected link to ... His code could attach an IP stack to the external interface ... but it cannot be used to make further attacks. ... and back out onto the Internet. ...
      (FreeBSD-Security)
    • Re: Newbie IDS questions
      ... > the path between connections, ... IDS on a dual interface system. ... But they are not a replacement for a firewall. ...
      (Focus-IDS)
    • Re: Antivirus - AVG protection
      ... > I've been watching the posts and responses here since yesterday. ... The main problem as I saw it was AVG's useless and misleading interface. ... What tended to annoy me was people disregarding my reporting of the issue ... (AVG misleading interface). ...
      (alt.computer.security)