IDS mailing list archives
RE: IDS responses
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Mon, 18 Nov 2002 02:47:07 -0800
This is a good list but you missed one: forged response to the attacker- Dragon has/had (I haven't checked to see if it is in the newest release) the ability to respond to things like scanning and Nmap OS detection packets with spoofed data that would suggest a different OS or ports being open/closed when they are not in reality. This is very cool, IMHO, as it doesn't kill the connection, it just injects some false information into the data flow that will make the attackers job more difficult. All opinions are my own and in no way reflect the views of my employer. Toby
-----Original Message----- From: marca369 () student liu se [mailto:marca369 () student liu se] Sent: Friday, November 15, 2002 5:06 AM To: focus-ids () securityfocus com Subject: IDS responses Hi all! I'm currently trying to learn about the different repsonses an IDS can perform and I have trouble finding detailed information. For those of you who don't feel like reading through the rest of the text I'll state my problem here: Can anyone explain or direct me to an explanation of the SNMP Trap's use in active responses of intrusion detection systems? As far as I understand, responses can traditionally be divided into two categories; active and passive. Active responses actively change the internal state of the IDS or the surrounding environment and passive responses deal with notifications and harvesting of information. Due to the upcoming intrusion prevention systems, two new categorizations exists; proavtive and reactive. Proactive responses takes place before the attack is carried out, effectively stopping it from being successful and reactive responses are executed during or after the attack. The traditional responses fall under the reactive category. So far so good. Looking further into the traditional categories, several actual responses can be found (taken from the major IDS vendor's brochyres). Active: ------------- Blocking (shunning); Reconfiguration of routers/firewalls ACL lists to deny the attacker access. TCP Reset; Sendning a TCP packet with the reset databit set to the source/target of the attack. Disable user account; Used i host based IDS, speaks for itself. Terminate user session; As above. Invoke spawned process; Run a batch file, doing virtually anything. Trace; Trace the traffic flow through to find the origin of the attack. Redirection; Reconfigure a router to redirect the attacker into a honeypot/honeynet. SNMP Trap; Reconfigure network devices? Passive; ------------- Display in console; Show event in the IDS GUI. Record session; E.g. IP recording for forensic use or replay of attacking session. Log; Log event with detailed attack related information in event database. External notification; Email, sms, pager, etc. As seen above the SNMP Trap explanation is not satisafctory. I have tried to read several RFCs and browse the Internet for detailed information on the subject, but come up emtpy handed. Does anyone know where I kind find a thourough explanation of the SNMP Trap use in intrusion detection? I would be more than grateful for any help on the subject. Feel free to comment my list of responses if you feel it is not complete or if I have misunderstood anything. Thanks! Cheers/ Markus Carlbark
Current thread:
- IDS responses marca369 (Nov 16)
- Re: IDS responses Raffael Marty (Nov 17)
- <Possible follow-ups>
- Re: IDS responses marca369 (Nov 19)
- RE: IDS responses Kohlenberg, Toby (Nov 22)