lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200405271947.i4RJlRW1032074@mailserver2.hushmail.com>
From: phathat at hushmail.com (Phathat)
Subject: IDS WIth TCP Reset and SPAN

I had a similar issue in the past. Two tips for you:

1) The RST packets go through the gateway address, you may need to add
persistent routes to manage. 

2) If you have a PIX/firewall in the mix it may be dropping your RST
packets as they could be hitting the "wrong" interface.

I know your not spanning to the management port on your switch ;)

Hope it helps,

Cheers




I think the cisco IDS was not snort, I forget what product they do use,

was not as flexible as snort and other packages, though I do assume that
in the 3-4 years since I last played with their IDS toy it has been
upgraded and issues with it fixed.

but, you are correct, most IDS systems do not do anything much more then
monitor the network stream.  Snort and other IDS systems can be
worked/setup with other tools like the firewalls capabilites to amend
the
policy in response to what is seen by the IDS in stream.  But, one wants
to be careful in how they set this up, so that they avoid a sneak attack
them 'allows' their IDS/response system to denail service to their core
gateway or other resources.

Thanks,

Ron DuFresne

On Thu, 27 May 2004, dila wrote:

> As far as I know, Snort has no drop capabilities, hence Intrusion
> _Detection_ System.
>
> I found this using google:
> http://www.mcabee.org/lists/snort-users/Mar-03/msg00379.html
>
> -dila
>
> >Hello Group,
> >
> >Hopefully, this topic is ok to discuss here. I am fairly new to IDS
systems and am having trouble getting my cisco IDS to send TCP resets.
The lab network is as follows:
> >
> >
> >               R4
> >R1----IDS----|
> >               R2------R3
> >
> >R4 and R2 are on the same ethernet segment. R1 is on Command and Control
side of the sensor. The attack is coming from R3 ( telnet to R4 and issue
"testattack" string ). The alarm shows up in event viewer...but no tcp
reset...I mean...my telnet session stays active.
> >
> >I know this probably has something to do with how I am setting up
SPAN on the switch....but I am not sure. The IDS Sensing interface, R4
and R2 are on the same switch and in VLAN 20. R3 is in VLAN 30.
> >
> >I have tried it without span ( just R4, R2 and IDS sensing interfaces
in same vlan ) and with span configured as follows. Niether has worked.
> >
> >monitor session 1 source vlan 20 rx
> >monitor session 1 destination int f0/17 ingress vlan 20
> >
> >Any ideas??
> >
> >Thanks,
> >
> >Dain
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

*****************************************************************************
This communication is for the use of the intended recipient only.  It
may 
contain information that is privileged and confidential.  If you are
not the 
intended recipient of this communication, any disclosure, copying, further

distribution or use thereof is prohibited.  If you have received this

communication in error, please advise me by return e-mail or by telephone
and 
delete/destroy it.
*****************************************************************************


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ