IDS mailing list archives
Re: IDS responses
From: <marca369 () student liu se>
Date: 18 Nov 2002 14:33:35 -0000
In-Reply-To: <009501c28e69$a5b09a80$438990d5 () ch ema ad pwcinternal com>
Can anyone explain or direct me to an explanation of the SNMP Trap's use in active responses of intrusion detection systems?See answer belowSNMP Trap; Reconfigure network devices?SNMP Traps can be used on a sensor to send asynchronous messages to a console. These messages are not sent to network devices. The console on
its
end might then reconfigure the network device (probably via SNMP again,
but
not TRAPS, but an SNMP SET). I think this is all the magic that is behind this.
So, as far as I understand, what vendors mean by stating their products support "SNMP Trap" is the same as supporting blocking or shunning (reconfiguring router/firewall ACLs)? Using SNMP for sending event messages to the IDS console wouldnt be very smart since its a connectionless protocol (UDP) and the traffic is unencrypted. /Markus
Current thread:
- IDS responses marca369 (Nov 16)
- Re: IDS responses Raffael Marty (Nov 17)
- <Possible follow-ups>
- Re: IDS responses marca369 (Nov 19)
- RE: IDS responses Kohlenberg, Toby (Nov 22)