[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40B62444.5020505@brvenik.com>
From: security at brvenik.com (Jason)
Subject: IDS WIth TCP Reset and SPAN
dila wrote:
> As far as I know, Snort has no drop capabilities, hence Intrusion
> _Detection_ System.
>
> I found this using google:
> http://www.mcabee.org/lists/snort-users/Mar-03/msg00379.html
I did not read the question as one about Snort however while Snort
proper does not have drop capability snort-inline which is a patch to
snort to use it inline adds drop, silent drop, and replace
functionality. It is available through the honeynet project and from the
snort-inline sourceforge repository
http://www.honeynet.org/tools/index.html
http://snort-inline.sourceforge.net/
Hints about the Cisco problem below.
>
> -dila
>
>
>> Hello Group,
>>
>> Hopefully, this topic is ok to discuss here. I am fairly new to IDS
>> systems and am having trouble getting my cisco IDS to send TCP
>> resets. The lab network is as follows:
>>
First mistake if you ask me is using Crisco IDS but that is a different
topic.
>>
>> R4 R1----IDS----| R2------R3
>>
>> R4 and R2 are on the same ethernet segment. R1 is on Command and
>> Control side of the sensor. The attack is coming from R3 ( telnet
>> to R4 and issue "testattack" string ). The alarm shows up in event
>> viewer...but no tcp reset...I mean...my telnet session stays
>> active.
If Cisco works the same as the rest of the world then the reset should
originate from the management interface ( R1 ) unless you have created
specific routes to use a non stealth interface for resets. You will have
to have route capability from R1 to R4 and possibly R3 in order for the
resets to do anything. Did you configure resets using the device
manager? I am assuming that you are following the directions linked
below. I do not have one to play with so I am only guessing.
>>
>> I know this probably has something to do with how I am setting up
>> SPAN on the switch....but I am not sure. The IDS Sensing interface,
>> R4 and R2 are on the same switch and in VLAN 20. R3 is in VLAN 30.
If it does inject the resets out the monitor interface then you will
have to set up your span as an RX/TX port and then IIRC it depends on
what model of switch and IOS/CatOS you are running on whether the port
will allow packets to be injected there.
The following links may provide more info for you.
GIAC paper that set it up using RealSecure.
http://www.giac.org/practical/GSEC/Sylvain_Proulx_GSEC.pdf
Cisco doc on configuring span ( RSPAN will not work )
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6ba9.html
Cisco doc on configuring resets with the IDS
http://www.cisco.com/en/US/products/sw/secursw/ps5052/products_configuration_example09186a00801c0e11.shtml#launch
>>
>> I have tried it without span ( just R4, R2 and IDS sensing
>> interfaces in same vlan ) and with span configured as follows.
>> Niether has worked.
>>
>> monitor session 1 source vlan 20 rx monitor session 1 destination
>> int f0/17 ingress vlan 20
>>
>> Any ideas??
>>
>> Thanks,
>>
>> Dain
>
>
> _______________________________________________ Full-Disclosure - We
> believe in it. Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists