Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN

from [dila] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN
Date: Thu, 27 May 2004 02:36:01 +0100 
As far as I know, Snort has no drop capabilities, hence Intrusion
_Detection_ System.

I found this using google:
http://www.mcabee.org/lists/snort-users/Mar-03/msg00379.html

-dila


Hello Group,

Hopefully, this topic is ok to discuss here. I am fairly new to IDS systems 
and am having trouble getting my cisco IDS to send TCP resets. The lab network 
is as follows:


              R4
R1----IDS----|
              R2------R3

R4 and R2 are on the same ethernet segment. R1 is on Command and Control side 
of the sensor. The attack is coming from R3 ( telnet to R4 and issue 
"testattack" string ). The alarm shows up in event viewer...but no tcp 
reset...I mean...my telnet session stays active. 

I know this probably has something to do with how I am setting up SPAN on the 
switch....but I am not sure. The IDS Sensing interface, R4 and R2 are on the 
same switch and in VLAN 20. R3 is in VLAN 30.

I have tried it without span ( just R4, R2 and IDS sensing interfaces in same 
vlan ) and with span configured as follows. Niether has worked.

monitor session 1 source vlan 20 rx
monitor session 1 destination int f0/17 ingress vlan 20

Any ideas??

Thanks,

Dain
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] Re: Cisco's stolen code, tcleary2
Next by Date:  Re: [Full-Disclosure] Re: Cisco's stolen code, tcleary2
Previous by Thread:  [Full-Disclosure] IDS WIth TCP Reset and SPAN, Dain Deutschman
Next by Thread:  Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN, Ron DuFresne
Indexes:  [Date] [Thread] [Top] [All Lists]