Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN

from [Ron DuFresne] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN
Date: Thu, 27 May 2004 11:39:57 -0500 (CDT) 
I think the cisco IDS was not snort, I forget what product they do use,
was not as flexible as snort and other packages, though I do assume that
in the 3-4 years since I last played with their IDS toy it has been
upgraded and issues with it fixed.

but, you are correct, most IDS systems do not do anything much more then
monitor the network stream.  Snort and other IDS systems can be
worked/setup with other tools like the firewalls capabilites to amend the
policy in response to what is seen by the IDS in stream.  But, one wants
to be careful in how they set this up, so that they avoid a sneak attack
them 'allows' their IDS/response system to denail service to their core
gateway or other resources.

Thanks,

Ron DuFresne

On Thu, 27 May 2004, dila wrote:


As far as I know, Snort has no drop capabilities, hence Intrusion
_Detection_ System.

I found this using google:
http://www.mcabee.org/lists/snort-users/Mar-03/msg00379.html

-dila


Hello Group,

Hopefully, this topic is ok to discuss here. I am fairly new to IDS systems 
and am having trouble getting my cisco IDS to send TCP resets. The lab 
network is as follows:


              R4
R1----IDS----|
              R2------R3

R4 and R2 are on the same ethernet segment. R1 is on Command and Control 
side of the sensor. The attack is coming from R3 ( telnet to R4 and issue 
"testattack" string ). The alarm shows up in event viewer...but no tcp 
reset...I mean...my telnet session stays active.

I know this probably has something to do with how I am setting up SPAN on 
the switch....but I am not sure. The IDS Sensing interface, R4 and R2 are on 
the same switch and in VLAN 20. R3 is in VLAN 30.

I have tried it without span ( just R4, R2 and IDS sensing interfaces in 
same vlan ) and with span configured as follows. Niether has worked.

monitor session 1 source vlan 20 rx
monitor session 1 destination int f0/17 ingress vlan 20

Any ideas??

Thanks,

Dain


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] iDEFENSE Security Advisory 05.27.04: 3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass Vulnerability, idlabs-advisories
Next by Date:  [Full-Disclosure] Looking for some input, Shannon Johnston
Previous by Thread:  Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN, dila
Next by Thread:  Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN, Jason
Indexes:  [Date] [Thread] [Top] [All Lists]