| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: phathat at hushmail.com (Phathat) Subject: IDS WIth TCP Reset and SPAN I had a similar issue in the past. Two tips for you: 1) The RST packets go through the gateway address, you may need to add persistent routes to manage. 2) If you have a PIX/firewall in the mix it may be dropping your RST packets as they could be hitting the "wrong" interface. I know your not spanning to the management port on your switch ;) Hope it helps, Cheers I think the cisco IDS was not snort, I forget what product they do use, was not as flexible as snort and other packages, though I do assume that in the 3-4 years since I last played with their IDS toy it has been upgraded and issues with it fixed. but, you are correct, most IDS systems do not do anything much more then monitor the network stream. Snort and other IDS systems can be worked/setup with other tools like the firewalls capabilites to amend the policy in response to what is seen by the IDS in stream. But, one wants to be careful in how they set this up, so that they avoid a sneak attack them 'allows' their IDS/response system to denail service to their core gateway or other resources. Thanks, Ron DuFresne On Thu, 27 May 2004, dila wrote: > As far as I know, Snort has no drop capabilities, hence Intrusion > _Detection_ System. > > I found this using google: > http://www.mcabee.org/lists/snort-users/Mar-03/msg00379.html > > -dila > > >Hello Group, > > > >Hopefully, this topic is ok to discuss here. I am fairly new to IDS systems and am having trouble getting my cisco IDS to send TCP resets. The lab network is as follows: > > > > > > R4 > >R1----IDS----| > > R2------R3 > > > >R4 and R2 are on the same ethernet segment. R1 is on Command and Control side of the sensor. The attack is coming from R3 ( telnet to R4 and issue "testattack" string ). The alarm shows up in event viewer...but no tcp reset...I mean...my telnet session stays active. > > > >I know this probably has something to do with how I am setting up SPAN on the switch....but I am not sure. The IDS Sensing interface, R4 and R2 are on the same switch and in VLAN 20. R3 is in VLAN 30. > > > >I have tried it without span ( just R4, R2 and IDS sensing interfaces in same vlan ) and with span configured as follows. Niether has worked. > > > >monitor session 1 source vlan 20 rx > >monitor session 1 destination int f0/17 ingress vlan 20 > > > >Any ideas?? > > > >Thanks, > > > >Dain > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ***************************************************************************** This communication is for the use of the intended recipient only. It may contain information that is privileged and confidential. If you are not the intended recipient of this communication, any disclosure, copying, further distribution or use thereof is prohibited. If you have received this communication in error, please advise me by return e-mail or by telephone and delete/destroy it. *****************************************************************************
Powered by blists - more mailing lists