lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2DAD62F9671F2B4086B98467C14EE7D3018E7426@nahollex01.NA.Haworthinc.com>
From: Robert.MacDonald at Haworth.com (Robert MacDonald)
Subject: IDS WIth TCP Reset and SPAN

NetRanger, wasn't it?
 

-----Original Message----- 
From: Ron DuFresne [mailto:dufresne@...ternet.com] 
Sent: Thu 5/27/2004 12:39 PM 
To: dila 
Cc: full-disclosure@...ts.netsys.com 





I think the cisco IDS was not snort, I forget what product they do use,
was not as flexible as snort and other packages, though I do assume that
in the 3-4 years since I last played with their IDS toy it has been
upgraded and issues with it fixed.

but, you are correct, most IDS systems do not do anything much more then
monitor the network stream.  Snort and other IDS systems can be
worked/setup with other tools like the firewalls capabilites to amend the
policy in response to what is seen by the IDS in stream.  But, one wants
to be careful in how they set this up, so that they avoid a sneak attack
them 'allows' their IDS/response system to denail service to their core
gateway or other resources.

Thanks,

Ron DuFresne

On Thu, 27 May 2004, dila wrote:

> As far as I know, Snort has no drop capabilities, hence Intrusion
> _Detection_ System.
>
> I found this using google:
> http://www.mcabee.org/lists/snort-users/Mar-03/msg00379.html
>
> -dila
>
> >Hello Group,
> >
> >Hopefully, this topic is ok to discuss here. I am fairly new to IDS systems and am having trouble getting my cisco IDS to send TCP resets. The lab network is as follows:
> >
> >
> >               R4
> >R1----IDS----|
> >               R2------R3
> >
> >R4 and R2 are on the same ethernet segment. R1 is on Command and Control side of the sensor. The attack is coming from R3 ( telnet to R4 and issue "testattack" string ). The alarm shows up in event viewer...but no tcp reset...I mean...my telnet session stays active.
> >
> >I know this probably has something to do with how I am setting up SPAN on the switch....but I am not sure. The IDS Sensing interface, R4 and R2 are on the same switch and in VLAN 20. R3 is in VLAN 30.
> >
> >I have tried it without span ( just R4, R2 and IDS sensing interfaces in same vlan ) and with span configured as follows. Niether has worked.
> >
> >monitor session 1 source vlan 20 rx
> >monitor session 1 destination int f0/17 ingress vlan 20
> >
> >Any ideas??
> >
> >Thanks,
> >
> >Dain


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ