passive mode provides a reactive protection. It can be configured to reset the attacker’s connection, IP blocking, and Ip logging but it can’t stop the initial attack from reaching the targets. The reason is because the packets it inspects have been copied and forwarded to it by SPAN sessions or by promiscuosly listening traffic on a segment.
When the sensor is on inline mode, traffic has to traverse the sensor’s interfaces ( pair ).Traffic gets inspected, tested againts the signatures and then if OK then forwarded to the destination. This approach offers preventing protection because the sensor can stop an attack BEFORE it reaches the target which is something than IDS ( passive sensors ) can’t do
In summary I suggest you to try using your sensor on inline mode … it not only offers the same functinality of IDS but extra protection against attacks.
passive模式提供了passive保護,可以講起配置爲重置攻擊者的連接,IP阻止和IP日誌記錄,但是它不能阻止初始攻擊到達目標。原因是因爲它堅持的數據包已被SPAN會話複製或轉發給它,或者是通過隨意監聽網段上的流量。
當傳感器處於inline模式時,流量必須遍歷傳感器的接口(一對)。對流量進行檢查,再次測試簽名,然後如果確定,則將其轉發到目的地。這種方法提供了預防性保護,因爲傳感器可以在攻擊到達目標之前阻止攻擊,這是IDS(passive傳感器)無法做到的
總而言之,我建議您嘗試在inline模式下使用傳感器。它不僅提供與IDS相同的功能,而且還提供了針對攻擊的額外保護。
A passive IPS is not capable of blocking any traffic. On its own, it is capable of sending TCP connection resets. If it is paired with a firewall/router, it can send block requests to those devices. There are a few other things, but blocking can not be done.
In order to have the IPS block traffic, you have to put it “inline”. Inline means that what ever traffic you wish to inspect and, if necessary, block must go through the sensor.
passive IPS無法阻止任何流量。 它本身能夠發送TCP連接重置。 如果與防火牆/路由器配對,它可以將阻止請求發送到這些設備。 還有其他一些事情,但是無法完成阻止。
爲了使IPS阻止流量,您必須將其“inline”。 inline意味着您要檢查的所有流量以及必要時阻塞的流量都必須通過傳感器。