RE: IDS Sensor operation

From: Joshua Berry (jberry_at_PENSON.COM)
Date: 09/30/04


Date: Thu, 30 Sep 2004 14:41:16 -0500
To: "Graeme Connell" <gconnell@middlebury.edu>, "Vijai K (Infosec) - CTD, Chennai." <vijaik@ctd.hcltech.com>

The newer flexresp2 for snort and the reset stuff in SnortInline has the
ability to send packets out at layer 2, bypassing the need for an IP
address.

-----Original Message-----
From: Graeme Connell [mailto:gconnell@middlebury.edu]
Sent: Wednesday, September 29, 2004 8:42 AM
To: Vijai K (Infosec) - CTD, Chennai.
Cc: focus-ids@securityfocus.com; Srinivasa Rao Addepalli
Subject: Re: IDS Sensor operation

An interface in promiscuous mode can still have an IP address. Just run

  ifconfig <interface> promisc

and, voila! A promiscuous interface. It only means that it registers
all packets that hit it. So to answer your question: An IPS can sniff
traffic and send configuration information on the same interface. Hope
this helps.

       --Graeme Connell

Vijai K (Infosec) - CTD, Chennai. wrote:

>Hi folks
>
>
>Basically sensors operates with promiscuous mode interface for
monitoring
>data,rite
>But there is an optionality in an IDS to alert the firewall
(reconfigure)to
>block the intrusion IP, and also to kill the session or connectionby
the
>sensor itself.
>
>this we see in Realsecure Network sensor 7.0 where there is a option
called
>RSKILL.
>
>But the question is how is it possible for a interface in promiscuous
mode
>to act like this since there is no binding in the
interface(TCP/IP,etc).
>
>Did it uses other NIC which is for management purpose???
>
>Hope u all understand the question
>
>
>
>Regds
>Vijai.K
>
>
>
>DISCLAIMER
>This message and any attachment(s) contained here are information that
is
>confidential, proprietary to HCL Technologies and its customers.
Contents
>may be privileged or otherwise protected by law. The information is
solely
>intended for the individual or the entity it is addressed to. If you
are not
>the intended recipient of this message, you are not authorized to read,
>forward, print, retain, copy or disseminate this message or any part of
it.
>If you have received this e-mail in error, please notify the sender
>immediately by return e-mail and delete it from your computer.
>
>
>
>-----------------------------------------------------------------------

---
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
>Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
>-----------------------------------------------------------------------
---
>
>
>  
>
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------


Relevant Pages