RE: IDS Sensor operation
From: Joshua Berry (jberry_at_PENSON.COM)
Date: 09/30/04
- Previous message: Graeme Connell: "Re: IDS Sensor operation"
- Maybe in reply to: Vijai K (Infosec) - CTD, Chennai.: "IDS Sensor operation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Sep 2004 14:41:16 -0500 To: "Graeme Connell" <gconnell@middlebury.edu>, "Vijai K (Infosec) - CTD, Chennai." <vijaik@ctd.hcltech.com>
The newer flexresp2 for snort and the reset stuff in SnortInline has the
ability to send packets out at layer 2, bypassing the need for an IP
address.
-----Original Message-----
From: Graeme Connell [mailto:gconnell@middlebury.edu]
Sent: Wednesday, September 29, 2004 8:42 AM
To: Vijai K (Infosec) - CTD, Chennai.
Cc: focus-ids@securityfocus.com; Srinivasa Rao Addepalli
Subject: Re: IDS Sensor operation
An interface in promiscuous mode can still have an IP address. Just run
ifconfig <interface> promisc
and, voila! A promiscuous interface. It only means that it registers
all packets that hit it. So to answer your question: An IPS can sniff
traffic and send configuration information on the same interface. Hope
this helps.
--Graeme Connell
Vijai K (Infosec) - CTD, Chennai. wrote:
>Hi folks
>
>
>Basically sensors operates with promiscuous mode interface for
monitoring
>data,rite
>But there is an optionality in an IDS to alert the firewall
(reconfigure)to
>block the intrusion IP, and also to kill the session or connectionby
the
>sensor itself.
>
>this we see in Realsecure Network sensor 7.0 where there is a option
called
>RSKILL.
>
>But the question is how is it possible for a interface in promiscuous
mode
>to act like this since there is no binding in the
interface(TCP/IP,etc).
>
>Did it uses other NIC which is for management purpose???
>
>Hope u all understand the question
>
>
>
>Regds
>Vijai.K
>
>
>
>DISCLAIMER
>This message and any attachment(s) contained here are information that
is
>confidential, proprietary to HCL Technologies and its customers.
Contents
>may be privileged or otherwise protected by law. The information is
solely
>intended for the individual or the entity it is addressed to. If you
are not
>the intended recipient of this message, you are not authorized to read,
>forward, print, retain, copy or disseminate this message or any part of
it.
>If you have received this e-mail in error, please notify the sender
>immediately by return e-mail and delete it from your computer.
>
>
>
>-----------------------------------------------------------------------
--- >Test Your IDS > >Is your IDS deployed correctly? >Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. >----------------------------------------------------------------------- --- > > > > ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Graeme Connell: "Re: IDS Sensor operation"
- Maybe in reply to: Vijai K (Infosec) - CTD, Chennai.: "IDS Sensor operation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
