Network Security: Detailed info on RE: IDS Sensor operation

Subject:	RE: IDS Sensor operation
Date:	Thu, 30 Sep 2004 14:41:16 -0500

The newer flexresp2 for snort and the reset stuff in SnortInline has the
ability to send packets out at layer 2, bypassing the need for an IP
address.

-----Original Message-----
From: Graeme Connell [mailto:gconnell@middlebury.edu] 
Sent: Wednesday, September 29, 2004 8:42 AM
To: Vijai K (Infosec) - CTD, Chennai.
Cc: focus-ids@securityfocus.com; Srinivasa Rao Addepalli
Subject: Re: IDS Sensor operation

An interface in promiscuous mode can still have an IP address.  Just run

  ifconfig <interface> promisc

and, voila!  A promiscuous interface.  It only means that it registers 
all packets that hit it.  So to answer your question:  An IPS can sniff 
traffic and send configuration information on the same interface.  Hope 
this helps.

       --Graeme Connell

Vijai K (Infosec) - CTD, Chennai. wrote:

Hi folks


Basically sensors operates with promiscuous mode interface  for

monitoring

data,rite
But there is an optionality in  an IDS to alert the firewall

(reconfigure)to

block the intrusion IP, and also to kill the session or connectionby

the

sensor itself.

this we see in Realsecure Network sensor 7.0 where there  is a option

called

RSKILL.

But the question is how is it possible for a interface in promiscuous

mode

to act like this since there is no binding in the

interface(TCP/IP,etc).


Did it uses other NIC which is for management purpose???

Hope u all understand the question



Regds
Vijai.K



DISCLAIMER 
This message and any attachment(s) contained here are information that

is

confidential, proprietary to HCL Technologies and its customers.

Contents

may be privileged or otherwise protected by law. The information is

solely

intended for the individual or the entity it is addressed to. If you

are not

the intended recipient of this message, you are not authorized to read,
forward, print, retain, copy or disseminate this message or any part of

it.

If you have received this e-mail in error, please notify the sender
immediately by return e-mail and delete it from your computer.



-----------------------------------------------------------------------

---

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from

CORE IMPACT.

Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.

-----------------------------------------------------------------------

---

 


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
IDS Sensor operation, Vijai K (Infosec) - CTD, Chennai. Re: IDS Sensor operation, Graeme Connell RE: IDS Sensor operation, Wozny, Scott (US - New York) RE: IDS Sensor operation, Joshua Berry <= RE: IDS Sensor operation, Joseph Hamm

Previous by Date:	Re: IDS Sensor operation, Graeme Connell
Next by Date:	Re: Snort, Alex Butcher, ISC/ISYS
Previous by Thread:	RE: IDS Sensor operation, Wozny, Scott (US - New York)
Next by Thread:	RE: IDS Sensor operation, Joseph Hamm
Indexes:	[Date] [Thread] [Top] [All Lists]