RE: IDS Sensor operation

From: Joseph Hamm (jhamm_at_lancope.com)
Date: 09/29/04

  • Next message: Graeme Connell: "Re: Snort"
    Date: Wed, 29 Sep 2004 11:40:20 -0400
    To: <focus-ids@securityfocus.com>
    
    

    Vijai,

    Two links you should check out from the ISS Knowledgebase:

    Why do I have to select an Adapter for Kills?
    https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_sid=r
    CTgkImh&p_lva=&p_faqid=1026&p_created=1022780331&p_sp=cF9zcmNoPTEmcF9ncm
    lkc29ydD0mcF9yb3dfY250PTYmcF9zZWFyY2hfdGV4dD1yc2tpbGwmcF9zZWFyY2hfdHlwZT
    0zJnBfcHJvZF9sdmwxPX5hbnl_JnBfcHJvZF9sdmwyPX5hbnl_JnBfY2F0X2x2bDE9fmFueX
    4mcF9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li=

    and

    How does a RealSecure Kill (RSKill) work?
    https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_sid=r
    CTgkImh&p_lva=&p_faqid=96&p_created=976872224&p_sp=cF9zcmNoPTEmcF9ncmlkc
    29ydD0mcF9yb3dfY250PTYmcF9zZWFyY2hfdGV4dD1yc2tpbGwmcF9zZWFyY2hfdHlwZT0zJ
    nBfcHJvZF9sdmwxPX5hbnl_JnBfcHJvZF9sdmwyPX5hbnl_JnBfY2F0X2x2bDE9fmFueX4mc
    F9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li=

    The funny thing about TCP resets is that sometimes they work and
    sometimes they don't (at least in my experience). With any type of
    mitigation response there are pros and cons. On the upside, you don't
    have to reconfigure one of your network devices to kill the connection.
    On the downside, they aren't always reliable. It might be the case that
    this is the only option if there is no network device between the two
    hosts. Of course, that is where blocking at the switch port comes
    in......which has its own issues;)

    Hope this helps,
    Joe

    Joe Hamm, CISSP
    Security Engineer
    Lancope, Inc.
    jhamm@lancope.com
    404.644.7227 (cell)
    770.225.6509 (fax)

    Lancope - Security through Network Intelligence(tm)
    StealthWatch(tm) by Lancope, a next-generation network security
    solution, delivers behavior-based intrusion detection, policy
    enforcement and insightful network analysis. Visit www.lancope.com.

    Join Lancope for a complimentary Webinar "Exclusive Preview of
    StealthWatch System v 4.2" at 11 AM EDT on Wednesday, October 27, 2004.
    Register today at
    https://lancope.webex.com/lancope/onstage/g.php?d=752017377&t=a.

    -----Original Message-----
    From: Vijai K (Infosec) - CTD, Chennai. [mailto:vijaik@ctd.hcltech.com]
    Sent: Friday, September 24, 2004 2:36 AM
    To: focus-ids@securityfocus.com; Srinivasa Rao Addepalli
    Subject: IDS Sensor operation

    Hi folks

     
    Basically sensors operates with promiscuous mode interface for
    monitoring
    data,rite
    But there is an optionality in an IDS to alert the firewall
    (reconfigure)to
    block the intrusion IP, and also to kill the session or connectionby the
    sensor itself.

    this we see in Realsecure Network sensor 7.0 where there is a option
    called
    RSKILL.

    But the question is how is it possible for a interface in promiscuous
    mode
    to act like this since there is no binding in the interface(TCP/IP,etc).

    Did it uses other NIC which is for management purpose???

    Hope u all understand the question

    Regds
    Vijai.K

    DISCLAIMER
    This message and any attachment(s) contained here are information that
    is
    confidential, proprietary to HCL Technologies and its customers.
    Contents
    may be privileged or otherwise protected by law. The information is
    solely
    intended for the individual or the entity it is addressed to. If you are
    not
    the intended recipient of this message, you are not authorized to read,
    forward, print, retain, copy or disseminate this message or any part of
    it.
    If you have received this e-mail in error, please notify the sender
    immediately by return e-mail and delete it from your computer.

    ------------------------------------------------------------------------

    --
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------
    --
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Graeme Connell: "Re: Snort"

    Relevant Pages

    • Re: Where to Put IDS in the network
      ... >we want to purchase the Cisco IDs but confused where to Put IDs ... Add seperate network module in IDS for each backbone switch ... and sensor and network performance. ... Normally, you'd put the sensor right behind the firewall, on your ...
      (comp.security.firewalls)
    • Re: Target based IDS review and discussion in Information Security
      ... > and the event contextualization that you are speaking of. ... > term in Rebecca Bace's book on IDS published in '99. ... > itself understanding the network, ... if the data coming out of the sensor is a bunch of junk and you miss ...
      (Focus-IDS)
    • Re: IDS and NMS
      ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
      (Focus-IDS)
    • Re: "false positive" inanity
      ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
      (Focus-IDS)
    • Re: Secure Network Design (DMZ, LAN, etc)
      ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
      (Security-Basics)