RE: IDS Sensor operation

["Wozny, Scott (US - New York)" <swozny () deloitte com>]

It's dependant on vendor implementation.  I've seen both.  

The snipes or rewrites that come through the sniffing interface have to
be built from the ground up.  Just because an interface has been put
into promiscuous mode doesn't mean you can't push data out of it.  The
trick is that it doesn't work with most line taps and it only works with
mirror ports on switches that support bidirectional traffic when in
mirror mode (a lot of switches (and even specific firmware revisions
within switches) put the port into a state where inbound traffic is
ignored when mirrored traffic is being sent out of it).  This also,
usually, only works for active responses that only require one packet
(i.e. tough to complete a handshake when you don't have an IP bound to
the NIC).

For more complicated responses (like a firewall rule rewrite) generally
a TCP session has to be established to carry this out which involves the
IDS and the firewall being able to find each other.  If you have the
money and you're a stickler about keeping the management interface for
management only, go with a vendor that allows you to specify which
interface the response traffic is going to come from.  For the added
complexity, I don't think it's worth the hassle.  

I usually don't recommend active automated response anyway as it can be
a good way to DoS yourself, but this is what I've seen in the market.

Good luck,

Scott

-----Original Message-----
From: Vijai K (Infosec) - CTD, Chennai. [mailto:vijaik () ctd hcltech com] 
Sent: Friday, September 24, 2004 2:36 AM
To: focus-ids () securityfocus com; Srinivasa Rao Addepalli
Subject: IDS Sensor operation 



Hi folks

 
Basically sensors operates with promiscuous mode interface  for
monitoring
data,rite
But there is an optionality in  an IDS to alert the firewall
(reconfigure)to
block the intrusion IP, and also to kill the session or connectionby the
sensor itself.

this we see in Realsecure Network sensor 7.0 where there  is a option
called
RSKILL.

But the question is how is it possible for a interface in promiscuous
mode
to act like this since there is no binding in the interface(TCP/IP,etc).

Did it uses other NIC which is for management purpose???

Hope u all understand the question



Regds
Vijai.K



DISCLAIMER 
This message and any attachment(s) contained here are information that
is
confidential, proprietary to HCL Technologies and its customers.
Contents
may be privileged or otherwise protected by law. The information is
solely
intended for the individual or the entity it is addressed to. If you are
not
the intended recipient of this message, you are not authorized to read,
forward, print, retain, copy or disseminate this message or any part of
it.
If you have received this e-mail in error, please notify the sender
immediately by return e-mail and delete it from your computer.



------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--




This message (including any attachments) contains confidential information intended for a specific individual and 
purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any 
disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------