IDS mailing list archives
Re: Active response... some thoughts.
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 08 Feb 2003 18:32:13 -0600
On Sat, 2003-02-08 at 15:50, andre wrote:
What about blocking only a few certain attacks, that could not be easily spoofed. Such like HTTP vulnerabilities and others that need a complete handshake to work.
Thank you for bringing this up. I'm a bit angered by all-or-nothing attitude. As you correctly said, active response doesn't need to happen to any and all signatures, or rule violations. Active response (of any kind) have their risks, but they can be implemented in such a fashion that the risk are bearable, and at a point were they are worthwhile implementing. White-lists are one approach, another is adding 'intelligence' so that the active response can stop by itself. I have tried to implement that in SnortSam by implementation of simple thresholds. Once a threshold (of responses) exceeds a certain level, SnortSam will undo the last blocks (it modifies firewalls and routers) and then fall silent, or passive, until the level of requests falls below threshold level, and then some (additional time). It's all a matter of checks'n'balances. Imho, programs _can_ be written to avoid race conditions or situation where they might get a locked in a loop (like responding to the response of other IDSs.... that was a nice example). The idea of implementing safety measures and self-destruct levers seems to fall short in the race to market with fancy software these days... Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Active response... some thoughts., (continued)
- RE: Active response... some thoughts. Gonzalez, Albert (Feb 05)
- RE: Active response... some thoughts. Rob McMillen (Feb 06)
- Re: Active response... some thoughts. Ali Saifullah Khan (Feb 05)
- RE: Active response... some thoughts. Abe L. Getchell (Feb 06)
- Re: Active response... some thoughts. fr0ck9 (Feb 05)
- RE: Active response... some thoughts. Rob Shein (Feb 07)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. SecurityFocus (Feb 10)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. andre (Feb 08)
- Re: Active response... some thoughts. Frank Knobbe (Feb 10)
- RE: Active response... some thoughts. Rob Shein (Feb 11)
- Re: Active response... some thoughts. andre (Feb 08)
- RE: Active response... some thoughts. Gonzalez, Albert (Feb 05)
- Re: Active response... some thoughts. mb_lima (Feb 11)
- RE: Active response... some thoughts. Steven Richards (Feb 12)