IDS mailing list archives
RE: IDS Sensor operation
From: "Wozny, Scott (US - New York)" <swozny () deloitte com>
Date: Tue, 28 Sep 2004 12:58:34 -0400
It's dependant on vendor implementation. I've seen both. The snipes or rewrites that come through the sniffing interface have to be built from the ground up. Just because an interface has been put into promiscuous mode doesn't mean you can't push data out of it. The trick is that it doesn't work with most line taps and it only works with mirror ports on switches that support bidirectional traffic when in mirror mode (a lot of switches (and even specific firmware revisions within switches) put the port into a state where inbound traffic is ignored when mirrored traffic is being sent out of it). This also, usually, only works for active responses that only require one packet (i.e. tough to complete a handshake when you don't have an IP bound to the NIC). For more complicated responses (like a firewall rule rewrite) generally a TCP session has to be established to carry this out which involves the IDS and the firewall being able to find each other. If you have the money and you're a stickler about keeping the management interface for management only, go with a vendor that allows you to specify which interface the response traffic is going to come from. For the added complexity, I don't think it's worth the hassle. I usually don't recommend active automated response anyway as it can be a good way to DoS yourself, but this is what I've seen in the market. Good luck, Scott -----Original Message----- From: Vijai K (Infosec) - CTD, Chennai. [mailto:vijaik () ctd hcltech com] Sent: Friday, September 24, 2004 2:36 AM To: focus-ids () securityfocus com; Srinivasa Rao Addepalli Subject: IDS Sensor operation Hi folks Basically sensors operates with promiscuous mode interface for monitoring data,rite But there is an optionality in an IDS to alert the firewall (reconfigure)to block the intrusion IP, and also to kill the session or connectionby the sensor itself. this we see in Realsecure Network sensor 7.0 where there is a option called RSKILL. But the question is how is it possible for a interface in promiscuous mode to act like this since there is no binding in the interface(TCP/IP,etc). Did it uses other NIC which is for management purpose??? Hope u all understand the question Regds Vijai.K DISCLAIMER This message and any attachment(s) contained here are information that is confidential, proprietary to HCL Technologies and its customers. Contents may be privileged or otherwise protected by law. The information is solely intended for the individual or the entity it is addressed to. If you are not the intended recipient of this message, you are not authorized to read, forward, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete it from your computer. ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS Sensor operation Vijai K (Infosec) - CTD, Chennai. (Sep 28)
- Re: IDS Sensor operation Graeme Connell (Sep 30)
- <Possible follow-ups>
- RE: IDS Sensor operation Wozny, Scott (US - New York) (Sep 28)
- RE: IDS Sensor operation Joshua Berry (Sep 30)