RE: IDS Sensor operation

From: Joshua Berry (jberry_at_PENSON.COM)
Date: 09/30/04


Date: Thu, 30 Sep 2004 14:41:16 -0500
To: "Graeme Connell" <gconnell@middlebury.edu>, "Vijai K (Infosec) - CTD, Chennai." <vijaik@ctd.hcltech.com>

The newer flexresp2 for snort and the reset stuff in SnortInline has the
ability to send packets out at layer 2, bypassing the need for an IP
address.

-----Original Message-----
From: Graeme Connell [mailto:gconnell@middlebury.edu]
Sent: Wednesday, September 29, 2004 8:42 AM
To: Vijai K (Infosec) - CTD, Chennai.
Cc: focus-ids@securityfocus.com; Srinivasa Rao Addepalli
Subject: Re: IDS Sensor operation

An interface in promiscuous mode can still have an IP address. Just run

  ifconfig <interface> promisc

and, voila! A promiscuous interface. It only means that it registers
all packets that hit it. So to answer your question: An IPS can sniff
traffic and send configuration information on the same interface. Hope
this helps.

       --Graeme Connell

Vijai K (Infosec) - CTD, Chennai. wrote:

>Hi folks
>
>
>Basically sensors operates with promiscuous mode interface for
monitoring
>data,rite
>But there is an optionality in an IDS to alert the firewall
(reconfigure)to
>block the intrusion IP, and also to kill the session or connectionby
the
>sensor itself.
>
>this we see in Realsecure Network sensor 7.0 where there is a option
called
>RSKILL.
>
>But the question is how is it possible for a interface in promiscuous
mode
>to act like this since there is no binding in the
interface(TCP/IP,etc).
>
>Did it uses other NIC which is for management purpose???
>
>Hope u all understand the question
>
>
>
>Regds
>Vijai.K
>
>
>
>DISCLAIMER
>This message and any attachment(s) contained here are information that
is
>confidential, proprietary to HCL Technologies and its customers.
Contents
>may be privileged or otherwise protected by law. The information is
solely
>intended for the individual or the entity it is addressed to. If you
are not
>the intended recipient of this message, you are not authorized to read,
>forward, print, retain, copy or disseminate this message or any part of
it.
>If you have received this e-mail in error, please notify the sender
>immediately by return e-mail and delete it from your computer.
>
>
>
>-----------------------------------------------------------------------

---
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
>Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
>-----------------------------------------------------------------------
---
>
>
>  
>
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------


Relevant Pages

  • Re: how to "join" LAN with plip link?
    ... Enable or disable the promiscuous mode of the interface. ... an interface listens for two types of packets. ... to the MAC address of the network card. ...
    (comp.os.linux.networking)
  • Re: IDS Sensor operation
    ... An interface in promiscuous mode can still have an IP address. ... >this we see in Realsecure Network sensor 7.0 where there is a option called ... >Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • RE: Promiscuous Mode
    ... Promiscuous mode doesn't stop an interface from SENDING packets. ... buy it or download a solution FREE today! ...
    (Pen-Test)
  • Promiscuous Mode on Sun BGE Network Driver Drops VLAN-tagged Packets
    ... I've got a switch mirroring packets into a Sun V20Z with a BGE ... Some of the packets coming in have VLAN tags, ... setting the interface to promiscuous mode is ...
    (comp.unix.solaris)
  • Promiscuous Mode on Sun BGE Network Driver Drops VLAN-tagged Packets
    ... I've got a switch mirroring packets into a Sun V20Z with a BGE ... Some of the packets coming in have VLAN tags, ... setting the interface to promiscuous mode is ...
    (comp.sys.sun.admin)