| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: security at brvenik.com (Jason) Subject: IDS WIth TCP Reset and SPAN dila wrote: > As far as I know, Snort has no drop capabilities, hence Intrusion > _Detection_ System. > > I found this using google: > http://www.mcabee.org/lists/snort-users/Mar-03/msg00379.html I did not read the question as one about Snort however while Snort proper does not have drop capability snort-inline which is a patch to snort to use it inline adds drop, silent drop, and replace functionality. It is available through the honeynet project and from the snort-inline sourceforge repository http://www.honeynet.org/tools/index.html http://snort-inline.sourceforge.net/ Hints about the Cisco problem below. > > -dila > > >> Hello Group, >> >> Hopefully, this topic is ok to discuss here. I am fairly new to IDS >> systems and am having trouble getting my cisco IDS to send TCP >> resets. The lab network is as follows: >> First mistake if you ask me is using Crisco IDS but that is a different topic. >> >> R4 R1----IDS----| R2------R3 >> >> R4 and R2 are on the same ethernet segment. R1 is on Command and >> Control side of the sensor. The attack is coming from R3 ( telnet >> to R4 and issue "testattack" string ). The alarm shows up in event >> viewer...but no tcp reset...I mean...my telnet session stays >> active. If Cisco works the same as the rest of the world then the reset should originate from the management interface ( R1 ) unless you have created specific routes to use a non stealth interface for resets. You will have to have route capability from R1 to R4 and possibly R3 in order for the resets to do anything. Did you configure resets using the device manager? I am assuming that you are following the directions linked below. I do not have one to play with so I am only guessing. >> >> I know this probably has something to do with how I am setting up >> SPAN on the switch....but I am not sure. The IDS Sensing interface, >> R4 and R2 are on the same switch and in VLAN 20. R3 is in VLAN 30. If it does inject the resets out the monitor interface then you will have to set up your span as an RX/TX port and then IIRC it depends on what model of switch and IOS/CatOS you are running on whether the port will allow packets to be injected there. The following links may provide more info for you. GIAC paper that set it up using RealSecure. http://www.giac.org/practical/GSEC/Sylvain_Proulx_GSEC.pdf Cisco doc on configuring span ( RSPAN will not work ) http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6ba9.html Cisco doc on configuring resets with the IDS http://www.cisco.com/en/US/products/sw/secursw/ps5052/products_configuration_example09186a00801c0e11.shtml#launch >> >> I have tried it without span ( just R4, R2 and IDS sensing >> interfaces in same vlan ) and with span configured as follows. >> Niether has worked. >> >> monitor session 1 source vlan 20 rx monitor session 1 destination >> int f0/17 ingress vlan 20 >> >> Any ideas?? >> >> Thanks, >> >> Dain > > > _______________________________________________ Full-Disclosure - We > believe in it. Charter: > http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists