Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS Sensor operation

from [Joseph Hamm] Network Security [Permanent Link]
Subject: RE: IDS Sensor operation
Date: Wed, 29 Sep 2004 11:40:20 -0400 
Vijai,

Two links you should check out from the ISS Knowledgebase:

Why do I have to select an Adapter for Kills?
https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_sid=r
CTgkImh&p_lva=&p_faqid=1026&p_created=1022780331&p_sp=cF9zcmNoPTEmcF9ncm
lkc29ydD0mcF9yb3dfY250PTYmcF9zZWFyY2hfdGV4dD1yc2tpbGwmcF9zZWFyY2hfdHlwZT
0zJnBfcHJvZF9sdmwxPX5hbnl_JnBfcHJvZF9sdmwyPX5hbnl_JnBfY2F0X2x2bDE9fmFueX
4mcF9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li=

and 

How does a RealSecure Kill (RSKill) work?
https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_sid=r
CTgkImh&p_lva=&p_faqid=96&p_created=976872224&p_sp=cF9zcmNoPTEmcF9ncmlkc
29ydD0mcF9yb3dfY250PTYmcF9zZWFyY2hfdGV4dD1yc2tpbGwmcF9zZWFyY2hfdHlwZT0zJ
nBfcHJvZF9sdmwxPX5hbnl_JnBfcHJvZF9sdmwyPX5hbnl_JnBfY2F0X2x2bDE9fmFueX4mc
F9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li=

The funny thing about TCP resets is that sometimes they work and
sometimes they don't (at least in my experience).  With any type of
mitigation response there are pros and cons.  On the upside, you don't
have to reconfigure one of your network devices to kill the connection.
On the downside, they aren't always reliable.  It might be the case that
this is the only option if there is no network device between the two
hosts.  Of course, that is where blocking at the switch port comes
in......which has its own issues;)

Hope this helps,
Joe

Joe Hamm, CISSP
Security Engineer
Lancope, Inc.
jhamm@lancope.com
404.644.7227  (cell)
770.225.6509   (fax)

Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security
solution, delivers behavior-based intrusion detection, policy
enforcement and insightful network analysis.  Visit www.lancope.com.

Join Lancope for a complimentary Webinar "Exclusive Preview of
StealthWatch System v 4.2" at 11 AM EDT on Wednesday, October 27, 2004.
Register today at
https://lancope.webex.com/lancope/onstage/g.php?d=752017377&t=a.

-----Original Message-----
From: Vijai K (Infosec) - CTD, Chennai. [mailto:vijaik@ctd.hcltech.com] 
Sent: Friday, September 24, 2004 2:36 AM
To: focus-ids@securityfocus.com; Srinivasa Rao Addepalli
Subject: IDS Sensor operation 


Hi folks

 
Basically sensors operates with promiscuous mode interface  for
monitoring
data,rite
But there is an optionality in  an IDS to alert the firewall
(reconfigure)to
block the intrusion IP, and also to kill the session or connectionby the
sensor itself.

this we see in Realsecure Network sensor 7.0 where there  is a option
called
RSKILL.

But the question is how is it possible for a interface in promiscuous
mode
to act like this since there is no binding in the interface(TCP/IP,etc).

Did it uses other NIC which is for management purpose???

Hope u all understand the question



Regds
Vijai.K



DISCLAIMER 
This message and any attachment(s) contained here are information that
is
confidential, proprietary to HCL Technologies and its customers.
Contents
may be privileged or otherwise protected by law. The information is
solely
intended for the individual or the entity it is addressed to. If you are
not
the intended recipient of this message, you are not authorized to read,
forward, print, retain, copy or disseminate this message or any part of
it.
If you have received this e-mail in error, please notify the sender
immediately by return e-mail and delete it from your computer.



------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IPS, alternative solutions, Justin . Ross
Next by Date:  Re: Snort, Graeme Connell
Previous by Thread:  RE: IDS Sensor operation, Joshua Berry
Next by Thread:  Snort, Jeremy Gonzales
Indexes:  [Date] [Thread] [Top] [All Lists]