RE: [ISSForum] Can IDS - network/server sensor - kill traffic?

[Sam Junkin]

Chin,   When the response for a signature is set to RSKill, the sensor sends a session reset which spoofs both the source and destination IP address.  If the monitoring interface for the sensor is set to stealth mode (meaning no IP address), there are raw packet drivers that still allow the sensor to reset the connections.  The RSKill function will only work for connection oriented traffic.  Hope this helps.            Sam Junkin, CISSP Security Engineer NETSEC Office 703.788.6221 www.netsec.net ------------------------------------ This electronic message contains information from NETSEC or its affiliates, which may be confidential, proprietary or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above for the purposes intended by the originator. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify us immediately by telephone at (703) 561-0420, or by electronic mail at [EMAIL PROTECTED] -----Original Message----- From: Duncanson, Robert [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 04, 2003 8:16 AM To: 'Chin Wan'; [EMAIL PROTECTED] Subject: RE: [ISSForum] Can IDS - network/server sensor - kill traffic?   Chin,   If the Event Cllector (EC) is down, the sensor continues working exactly as before. The only impact is that your events are not being written to the database.   The only function of the EC)is to receive events. They do not influence the behaviour of a sensor in any way. Sensors operate according to the policy you set, using WGM (or SiteProtector), which, of course, is related to the signatures available.   If a policy includes sending an RSKill for a particular signature, the sensor will send an RSKill on the designated RSKill interface immediately when the signature is detected - independently of the EC.  The event is then placed in a queue for transmission to the EC.   If the EC is already in contact with the sensor, that event will be sent right away. If not, the queue keeps growing up to size you configure (maximum of 15Mb). When the EC comes back online and is able to establish a session with the sensor, events are retrieved from the queue.     Regards,   Robert    -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Chin Wan Sent: 04 December 2003 04:13 To: [EMAIL PROTECTED] Subject: [ISSForum] Can IDS - network/server sensor - kill traffic? Hi everyone   I'm using Realsecure Network & Server sensors, Workgroup Manager. I have a few questions here, so hope you all can help me.   I know tht these sensors are to detect intrusion and log down events via Event Controller. However, do the sensors really kill an 'illegal' traffic if I have the approprite policy applied to the sensors? How does the sensor kill the traffic? Does the sensor still monitoring the traffic/system even though the Event Collector is kinda 'down'?   Thanks everyone.. in advance for your help.   Regards Chin System Engineer Download Yahoo! Messenger now for a chance to WIN Robbie Williams "Live At Knebworth DVD"