[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0405271511390.14219-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: IDS WIth TCP Reset and SPAN
That rings a bell <but, is that the right bell ringing?!>. And the
problem was with the MIB that held all the sigs, well, one of the
problems was the MIB, it lacked many sigs, and was not updated often
enough to make it really useful, specially in the light of today, with
how quickly new attack vectors find they way into the light. But, there
were other issues, and I'm sure some of them have had to be addressed.
But snort still in our mind and experience, reigns supreme, especially
when one looks at cost. But, snort has a vaast following as well and
these users share their work. Now as to whether or not snort-inline is an
IDS or has been pushed into the realm of a 'firewall', well that is a
different topic...
Thanks,
Ron DuFresne
On Thu, 27 May 2004, Robert MacDonald wrote:
> NetRanger, wasn't it?
>
>
> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne@...ternet.com]
> Sent: Thu 5/27/2004 12:39 PM
> To: dila
> Cc: full-disclosure@...ts.netsys.com
>
>
>
>
>
> I think the cisco IDS was not snort, I forget what product they do use,
> was not as flexible as snort and other packages, though I do assume that
> in the 3-4 years since I last played with their IDS toy it has been
> upgraded and issues with it fixed.
>
> but, you are correct, most IDS systems do not do anything much more then
> monitor the network stream. Snort and other IDS systems can be
> worked/setup with other tools like the firewalls capabilites to amend the
> policy in response to what is seen by the IDS in stream. But, one wants
> to be careful in how they set this up, so that they avoid a sneak attack
> them 'allows' their IDS/response system to denail service to their core
> gateway or other resources.
>
> Thanks,
>
> Ron DuFresne
>
> On Thu, 27 May 2004, dila wrote:
>
> > As far as I know, Snort has no drop capabilities, hence Intrusion
> > _Detection_ System.
> >
> > I found this using google:
> > http://www.mcabee.org/lists/snort-users/Mar-03/msg00379.html
> >
> > -dila
> >
> > >Hello Group,
> > >
> > >Hopefully, this topic is ok to discuss here. I am fairly new to IDS systems and am having trouble getting my cisco IDS to send TCP resets. The lab network is as follows:
> > >
> > >
> > > R4
> > >R1----IDS----|
> > > R2------R3
> > >
> > >R4 and R2 are on the same ethernet segment. R1 is on Command and Control side of the sensor. The attack is coming from R3 ( telnet to R4 and issue "testattack" string ). The alarm shows up in event viewer...but no tcp reset...I mean...my telnet session stays active.
> > >
> > >I know this probably has something to do with how I am setting up SPAN on the switch....but I am not sure. The IDS Sensing interface, R4 and R2 are on the same switch and in VLAN 20. R3 is in VLAN 30.
> > >
> > >I have tried it without span ( just R4, R2 and IDS sensing interfaces in same vlan ) and with span configured as follows. Niether has worked.
> > >
> > >monitor session 1 source vlan 20 rx
> > >monitor session 1 destination int f0/17 ingress vlan 20
> > >
> > >Any ideas??
> > >
> > >Thanks,
> > >
> > >Dain
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists