RE: IDS responses

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

This is a good list but you missed one:
forged response to the attacker- Dragon has/had (I haven't checked to see if it
is in the newest release) the ability to respond to things like scanning and
Nmap OS detection packets with spoofed data that would suggest a different OS
or ports being open/closed when they are not in reality. This is very cool, IMHO,
as it doesn't kill the connection, it just injects some false information into
the data flow that will make the attackers job more difficult.

All opinions are my own and in no way reflect the views of my employer.

Toby

> -----Original Message-----
> From: marca369 () student liu se [mailto:marca369 () student liu se]
> Sent: Friday, November 15, 2002 5:06 AM
> To: focus-ids () securityfocus com
> Subject: IDS responses
>
>
>
>
> Hi all!
>
> I'm currently trying to learn about the different repsonses 
> an IDS can 
> perform and I have trouble finding detailed information.
> For those of you who don't feel like reading through the rest of the 
> text I'll state my problem here:
> Can anyone explain or direct me to an explanation of the SNMP Trap's 
> use in active responses of intrusion detection systems?
>
> As far as I understand, responses can traditionally be 
> divided into two 
> categories; active and passive. Active responses actively change the 
> internal state of the IDS or the surrounding environment and passive 
> responses deal with notifications and harvesting of 
> information. Due to 
> the upcoming intrusion prevention systems, two new categorizations 
> exists; proavtive and reactive. Proactive responses takes 
> place before 
> the attack is carried out, effectively stopping it from being 
> successful and reactive responses are executed during or after the 
> attack. The traditional responses fall under the reactive 
> category. So 
> far so good.
>
> Looking further into the traditional categories, several actual 
> responses can be found (taken from the major IDS vendor's brochyres).
>
> Active:
> -------------
> Blocking (shunning); Reconfiguration of routers/firewalls ACL 
> lists to 
> deny the attacker access.
>
> TCP Reset; Sendning a TCP packet with the reset databit set to the 
> source/target of the attack.
>
> Disable user account; Used i host based IDS, speaks for itself.
>
> Terminate user session; As above.
>
> Invoke spawned process; Run a batch file, doing virtually anything.
>
> Trace; Trace the traffic flow through to find the origin of 
> the attack.
>
> Redirection; Reconfigure a router to redirect the attacker into a 
> honeypot/honeynet.
>
> SNMP Trap; Reconfigure network devices?
>
> Passive;
> -------------
> Display in console; Show event in the IDS GUI.
>
> Record session; E.g. IP recording for forensic use or replay of 
> attacking session.
>
> Log; Log event with detailed attack related information in event 
> database.
>
> External notification; Email, sms, pager, etc.
>
>
> As seen above the SNMP Trap explanation is not satisafctory. I have 
> tried to read several RFCs and browse the Internet for detailed 
> information on the subject, but come up emtpy handed. Does 
> anyone know 
> where I kind find a thourough explanation of the SNMP Trap use in 
> intrusion detection? I would be more than grateful for any 
> help on the 
> subject.
> Feel free to comment my list of responses if you feel it is not 
> complete or if I have misunderstood anything.
>
> Thanks!
>
> Cheers/ Markus Carlbark