I wasn't completely clear in my last e-mail. I was
thinking more
along the lines of having the IDS in the DMZ. Any
attacks that get
past the outside firewall to the DMZ hosts would be
caught by the
IDS in the DMZ. The attacks that don't make it past
the external
firewall into the DMZ
External IDS can be inline or passive sitting on a span port. For any ISP
or hosting facility bandwidth, routers and servers are a big issue.
IDS is very important if you have a 99.999% SLA with your clients, you don't
want to take any chances with any sort of downtime.
So in my opinion I
From: Steve Bremer [EMAIL PROTECTED]
tri-homed firewall, more so if you have IDS sensors at exterior, dmz,
and interior, and the time to monitor them.
Changing subjects a little bit here. I agree with our IDS comment,
but I'm curious about how your external IDS is used.
I've ran into differing
Hi,
External IDS can be inline or passive sitting on a span port. For any
Good point. I was thinking of just a monitoring sensor, but an in-line
sensor that can be configured to block active attacks would be nice.
Has anyone tried Hogwash?
So in my opinion I think it's important to
I use Seccuris Security out of Winnipeg, Manitoba, Canada. They have done an
excellent job for me.
-Original Message-
From: Tuttle, Jim[EMAIL PROTECTED]
Sent: 1/24/03 11:45:07 AM
To: Tony Toni[EMAIL PROTECTED],
[EMAIL PROTECTED][EMAIL PROTECTED]
Subject: RE: IDS
.
-Original Message-
From: Paul Stewart [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 24, 2003 2:54 PM
To: 'Tuttle, Jim'
Cc: [EMAIL PROTECTED]
Subject: RE: IDS Recommendation
Speaking of snort.. In the Cisco world, that's the equivalent? Can it
be done effectively with their IDS options
- -Original Message-
From: Paul Stewart [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 24, 2003 4:54 PM
To: 'Tuttle, Jim'
Cc: [EMAIL PROTECTED]
Subject: RE: IDS Recommendation
Speaking of snort.. In the Cisco world, that's the equivalent? Can it
be done effectively with their IDS options
tony tony wrote:
Hi,
Anybody know of a good IDS Managed Service Organization that they could
recommend to me? Our current security staff is just too small and overwelmed
with other security projects to install/monitor/followup on IDS findings. We
also lack the technical expertise to do this.
I have some experience with and recommend Counterpane.
www.counterpane.com
- Bill Yurcik
[EMAIL PROTECTED]
NCSA/U of Illinois
On Mon, 20 Jan 2003, tony tony wrote:
Anybody know of a good IDS Managed Service Organization that they could
recommend to me? Our current security staff is just too
On 17 May 2002 at 14:03, Adam Shephard wrote:
I suffer from a logic deficiency and I've been tossing an idea around
in my head. I thought it might be a good idea to run the logic past
the people here. I have a firewall between my network and the world
and Snort behind my firewall. That Snort
Hi Adam, My 0.2 Euros worth.
You are kind of on the correct path, but consider this...
I am _guessing_ that you have thinking of a setup along the lines
of.
(Internet)--|hub|
|-|firewall|---|hub|
Hi Faiz,
go to this site, you have a quite well done IDS report to download.
http://www.nss.co.uk/
Hope it helps.
Personnaly I work with Cisco and Snort and I am quite happy with them.
Cheers
chris
-Original Message-
From: Faiz Ahmad [mailto:[EMAIL PROTECTED]]
Sent: vendredi, 3.
not change this single port limitation.
-Original Message-
From: Brett Jackson [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 29, 2002 11:20 AM
To: 'Batton, David L.'; 'Kevin Brooks';
[EMAIL PROTECTED]
Subject: RE: IDS
If you want to mirror ALL traffic, you can set SPAN on the switch. You
:[EMAIL PROTECTED]]
Sent: Friday, April 26, 2002 8:47 AM
To: Kevin Brooks; [EMAIL PROTECTED]
Subject: RE: IDS
Kevin,
It looks as if you're working with 29XX or 35XX gear using IOS? Is
this correct?
I think the commands you are looking for is port monitor fast 0/x.
You should do this
inside
Kevin,
It looks as if you're working with 29XX or 35XX gear using IOS? Is this correct?
I think the commands you are looking for is port monitor fast 0/x. You should do
this
inside the fast ethernet interface you want to use as the monitoring interface and
list all the vlans and fast
Follow this link for a full description of SPAN.
http://www.cisco.com/warp/public/473/41.html
Brian Greppi
Systems/Network Engineer
Tempest Computers
Phone: 412.826.5005
Mobile: 412.417.5875
Find out why companies like Seagate and Cisco choose Tempest Computers for
their High-End Server
depends on the switch..
set span
-Original Message-
From: John Allhiser [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 24, 2002 1:42 PM
To: 'Kevin Brooks'; [EMAIL PROTECTED]
Subject: RE: IDS
Try looking at the span command.
-Original Message-
From: Kevin Brooks [mailto
On Wed, 24 Apr 2002, Kevin Brooks wrote:
On a Cisco switched network does anybody know how to set one port on one of
the switches to mirror all traffic?
I just setup an IDS and this is the one stumbling block I've hit.
I know it's
FastEth x/x
portforward fastEth 0/1
Try looking at the span command.
-Original Message-
From: Kevin Brooks [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 24, 2002 2:11 PM
To: [EMAIL PROTECTED]
Subject: IDS
On a Cisco switched network does anybody know how to set one port on one of
the switches to mirror all traffic?
I
On a Cisco switched network does anybody know how to set one port on one of
the switches to mirror all traffic?
I just setup an IDS and this is the one stumbling block I've hit.
I know it's
FastEth x/x
portforward fastEth 0/1
portforward fastEth 0/2
and so on..
I
In cisco its called port-spanning. Look in your IOS help.
Blev
-Original Message-
From: Kevin Brooks [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 24, 2002 12:11 PM
To: [EMAIL PROTECTED]
Subject: IDS
On a Cisco switched network does anybody know how to set one port on one of
the
Take a look at Snort for network based intrusion detection. It is excellent
--- and free. For more information go to:
www.snort.org
Jill
-Original Message-
From: Ryan P Zagata
To: [EMAIL PROTECTED]
Sent: 3/22/02 4:54 PM
Subject: IDS Intro Project Suggestions
I have a question/favor
A best solution will be to avail of the monitoring ports in the switches
and go ahead with snort.I've had no problems with it.
Regards
DRajesh
Pavel,
A NIDS cannot function properly in a switched network. Most sensors cannot
see through to other collision domains across a switch. What you would have
to do in order to make this work is, for example, on a Cisco Catalyst you
need to set up a vlan across the different segments so that
Snort will work in a switched environment, either configure the switch to
mirror all traffic to the port the snort sensor is one, or do mac address
spoofing. (the first one is the best solution)
On Tuesday 12 March 2002 06:53 am, Pavel Lozhkin wrote:
Hi !
Could one recommend me a IDS, such
Hello Pavel
I refer to the mail from 'leon' which refers to the following link[1]
which describes how you can sniff in a switched environment.
Actually, the techniques described in there are not The Right Way[tm] to
sniff out your switched environment, if you have access to your switch
-Original Message-
From: Simon Edwards
Sent: 08 March 2002 21:29
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
I have heard of similar things, probably one
Intrusion Detection System:
http://www.robertgraham.com/pubs/network-intrusion-detection.html
http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
http://www.snort.org
Cheers,
Brad
-Original Message-
From: Gerard Fremaint [mailto:[EMAIL PROTECTED]]
Sent: Sunday, March 10,
intrusion detection system
- Original Message -
From: Gerard Fremaint [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 09, 2002 7:25 PM
Subject: IDS
what is an IDS ?
IDS stands for Intrusion Detection Software/System
Chris Chandler
MCSE 2000, A+, Network +, MCP-I
-Original Message-
From: Gerard Fremaint [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 09, 2002 10:26 PM
To: [EMAIL PROTECTED]
Subject: IDS
what is an IDS ?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
IDS is an Intrusion Detection System. See this FAQ for more information:
http://www.robertgraham.com/pubs/network-intrusion-detection.html
Cheers.
- --
Harold Rodriguez .:. [EMAIL PROTECTED]
World Wide Web.:. http://it.yorku.ca/moonfrog
Intrusion Detection System
It is used to monitor traffic or activity on a network or host for signs
of intrusion etc. You will not get very far in your investigation
without hearing about Snort for both Unix and NT, simply because it is
excellent. Demarc will also grace your screen in many a
IDS is an acronym that stands for Intrusion Detection System. Also referred
to as a NIDS, or Network Intrusion Detection System. It is an application
that sits on a desktop/server and sniffs packets on your network for
malicious or questionable behavior. A great example of an application like
An IDS is an intrusion detection system, check out this link for a better
description...
http://www.barbedwires.com/faqs.htm#8
8--What is an IDS and how does it work?
The intrusion detection device listens to packets on the network and
compares the network traffic to a pattern database to
Paul Innella wrote a good introductory article on intrusion detection
systems that is in the SecurityFocus Basics focus area:
http://online.securityfocus.com/infocus/1520 .
Stephen Entwisle
Moderator, Security-Basics
SecurityFocus
http://www.securityfocus.com
(403) 213 3939 ext. 235
http://online.securityfocus.com/library/3401
-Original Message-
From: Gerard Fremaint [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 09, 2002 7:26 PM
To: [EMAIL PROTECTED]
Subject: IDS
what is an IDS ?
Francis
Owner/Operator
-= KoRe WoRkS =- Internet Security
http://www.koreworks.com/
Is your site really secure?
From: Thomas Porter, Ph.D. [EMAIL PROTECTED]
To: 'Carr, Aaron [CNTUS]' [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
Date
: Wednesday, March 06, 2002 7:01 PM
To: Mark Crosbie; Carr, Aaron [CNTUS]
Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
Mark Crosbie wrote:
What good does retaliation really get you though (apart from a whole
load of legal headache)? Wouldn't
]]
Sent: Thursday, March 07, 2002 2:52 PM
To: 'Marcus J. Ranum'; Mark Crosbie; Carr, Aaron [CNTUS]
Cc: '[EMAIL PROTECTED]';
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
NOTE: All opinions are my own and in no way reflect the views
of my employer.
Actually
: Wednesday, March 06, 2002 8:23 PM
Subject: RE: IDS that retaliates.
On Wed, 2002-03-06 at 06:22, Carr, Aaron [CNTUS] wrote:
You may wish to clarify your meaning of retaliate. When I think
As a HIDS we tend to think of retaliation (which is such an aggresive
term) more in terms of recovery. So
: RE: IDS that retaliates.
I see your point. However, that is like saying the innocent is not
innocent
until proven guilty. Do we not have to abide by our constitution when
it
comes to these matters as well?
-Original Message-
From: Royer, Cedric [mailto:[EMAIL PROTECTED]]
Sent
Something active that is only going to affect a real attacker that cant be
used to attack the innocent by reflection or redirection is sounding like
Tarpit to me .. imho of course
http://www.hackbusters.net/LaBrea/
never used it (yet) ... but love the concept.
Cheers
Paran0ia
If
16:04
To: Carr, Aaron [CNTUS]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
retaliate, I think an equal or greater reaction to the probe
or attack in
question. You may simply be saying take effective
counter-measures, such as
performing a shun
];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
Agreed. Plus, you can't go launching counter-attacks when most of the time
the machine you would be attacking was not at fault. It's been spoofed in
some way shape or form. Therefore, you would be taking down an innocent
Keith McCammon has already mentioned that retaliate almost always means,
Active Response. There are a number of good technical, legal,
business reasons for not choosing to actively respond in an enterprise
environment.
In fact, I don't know of anyone outside of a lab environment who has
turned
Mark Crosbie wrote:
What good does retaliation really get you though (apart from a whole
load of legal headache)? Wouldn't recovery be a better goal to aim
for?
We've often gotten requests for firewall reconfiguration or other types
of reaction - what's interesting to me is that all these
PROTECTED]]
Sent: Wednesday, March 06, 2002 4:01 PM
To: Mark Crosbie; Carr, Aaron [CNTUS]
Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
Mark Crosbie wrote:
What good does retaliation really get you though (apart from a whole
load of legal
very true
retaliation is illegal
dp
- Original Message -
From: Mike Gilles [EMAIL PROTECTED]
To: 'McCammon, Keith' [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Wednesday, March 06, 2002 1:49 AM
Subject: RE: IDS that retaliates.
| Just as a side note
Crosbie; Carr, Aaron [CNTUS]
Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
Mark Crosbie wrote:
What good does retaliation really get you though (apart from a whole
load of legal headache)? Wouldn't recovery be a better goal to aim
for?
We've often
retaliate, I think an equal or greater reaction to the probe
or attack in
question. You may simply be saying take effective
counter-measures, such as
performing a shun on a host or network, which is already available in
multiple products. One such product is the Cisco secure IDS
in
PROTECTED]
Subject: RE: IDS that retaliates.
I see your point. However, that is like saying the innocent is not
innocent
until proven guilty. Do we not have to abide by our constitution when
it
comes to these matters as well?
-Original Message-
From: Royer, Cedric [mailto:[EMAIL
[EMAIL PROTECTED]
To: McCammon, Keith [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Tuesday, March 05, 2002 1:56 PM
Subject: RE: IDS that retaliates.
Replying to spoofed packed with an attack could have nasty consequences.
If someone spoofed packets
PROTECTED]]
Sent: Tuesday, March 05, 2002 3:00 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
This is generally referred to as Active Response. In most cases
(commercial IDS), this involves the IDS sending TCP RST packets to both
ends
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The only application I know of that does anything like this is Portsentry.
Available from: http://www.psionic.com/abacus/portsentry/
Although not a real IDS, it listens for connections to ports that have
been set up as a sort-of honeypot, and adds
Some IDS packages are able to terminate offending
network sessions on the fly. E-trust IDS does this by
sending several spoofed packets with the RST flag set.
Security Focus recently carried an article on this type
of defense called Understanding IDS Active Response
Mechanisms by Jason Larsen
[EMAIL PROTECTED]
The desire to click through far outweighs the reason not to.
-Original Message-
From: Ralph Los [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 05, 2002 2:47 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
I can't speak
:
06/03/2002 07:00 AM Subject: RE: IDS that retaliates
PROTECTED]
Subject: RE: IDS that retaliates.
I can't speak for too many options - but Secure Computing has a product that
USED to do that, until it became illegal. (If I'm not mistaken, and I might
be, SideWinder did something of the nature, or maybe the complemenatry IDS?)
Cheers
Check out hogwash (works with Snort IDS).
http://hogwash.sourceforge.net/
On Tuesday 05 March 2002 11:46 am, Ralph Los wrote:
I can't speak for too many options - but Secure Computing has a product
that USED to do that, until it became illegal. (If I'm not mistaken, and I
might be,
Message-
From: McCammon, Keith [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 05, 2002 3:00 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: IDS that retaliates.
This is generally referred to as Active Response. In most cases
(commercial IDS), this involves the IDS
This is generally referred to as Active Response. In most cases
(commercial IDS), this involves the IDS sending TCP RST packets to both
ends of the connection so that the connection is destroyed and cleared
from the buffers. This is also the extent to which most
commercially-available IDSs
Now if you're referring to launching counter-attacks or similar
offensives in response to alerts, this isn't going to go mainstream in
the near future. There are a number of reasons for this, but most
notably is the fact that (in the U.S., anyway) intrusive retaliation is,
technically, every
Also check out PacketHound from Palisades Systems
(http://www.packethound.com) - pretty cool.
-- Brent
-Original Message-
From: McCammon, Keith [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 05, 2002 2:00 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: IDS
Are you looking for separate IDS products that integrate with the PIX, or an
IDS system which will work in your environment. Two very different
solutions, dependent on what you want the IDS system to accomplish
(monitoring only), alerting, shunting/resets, etc. As well, are you the guy
who will
Try the open source security testing methodology manual
(http://www.osstmm.org) -- there is a module on testing IDS.
Z.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: jueves, 15 de noviembre de 2001 4:56
To: [EMAIL PROTECTED]
Subject: RE: IDS Question
I'm
Virtually all IDS products will allow for alerts that generate emails
and pages as their means of notification. Our experience is that ISS'
solution is in fact one of the easier to manage while Symantec's is more
difficult. The best solution that we have seen, however, is Enterasys'
Dragon
On Monday 05 Nov 2001 5:54 pm, [EMAIL PROTECTED] wrote:
Hello All,
snip
My question is does anyone have any recommendations on an IDS that is
easy to manage and not to pricey. What I am looking for in the IDS
features is to have it e-mail or if possible send a Text Page to a cell
phone or
Actually you hit it right on the button and i'll tell you why. Having your
webroot folder in a seperate location from where the default installation
protects you from a world of silly exploits and rediculous script kiddie
wanna be hacker attacks. This would be the primary reason because if u
Hi Mark,
Since your thread seems to be wandering away from your initial question, I
thought that I would chip in with a little relevant advice. Try the
SecurityFocus library's IDS section, which you can find at:
http://www.securityfocus.com/cgi-bin/library.pl?cat=51 .
Stephen Entwisle
.
NZ$.0.2 cents worth (lot less than US$0.02)
Arjen
New Zealand
-Original Message-
From: Mike Gilles [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 02, 2001 3:43 AM
To: yashpals; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: IDS White Papers/Documents
No Offence, but I
IDS should be placed in all three + servers/host agents.
In front of firewall to detect external attempts
Behind firewall to detect internal attempts and successful external attacks
(useful to compare info from Ext + int sensors)
In DMZ to monitor activity to mailer/FTP/web whatever.
Hope this
I can tell you that you have your work cut out for you. It all depends upon
what you are wishing to see. When implementing an IDS solution, most people
want to see/detect as much as possible. There are a few issues: Host based
IDS sensors, network based IDS sensors, or both. Ideally you would
Hi Mark,
It is always a good to put IDS behind the firewall. As firewall blocks most of the
unwanted traffic and if someone manages to bypass the firewall then he/she may be
detected by IDS.
enjoy,
yash
[EMAIL PROTECTED] wrote:
Hi all,
Any help with the following greatly appreciated!
The background to this is that I want to implement an IDS on a
network which has an incoming/outgoing Internet connection for
all users. There is currently a firewall protecting this
connection, but I want to know whether I should locate the IDS in
front of or behind the firewall? Should the
Good day Mark,
Goto http://www.cccure.org/categories.php?op=newindexcatid=1
On that page you will find a link to the 60 minutes network security guide.
The last portion of the guide is about IDS deployment and covers location.
Clement
-Original Message-
From: [EMAIL PROTECTED]
Hi,
You must review all the logs that you have because of the follwing:
- The IDS does not include all the possible vulnerabilities (there may
be new ones).
- You can find more information from the fw log file.It can guide you to
the specific location that the intruder is interested in.
-
76 matches
Mail list logo
