IDS mailing list archives
RE: Alarm response strategies
From: "Rob Shein" <shoten () starpower net>
Date: Sun, 25 Jul 2004 21:35:32 -0400
Given the fact that IDS are prone to false alarms (and easy to make trigger with spoofed traffic), it's the general consensus that active responses are a bad idea. For example, if I were to start scanning your network, and find myself suddenly blocked at the router or firewall, I would then spoof tons of UDP traffic from DNS servers that I believed you might use. Your firewall would then block traffic from them, and bingo, I've just shut down your ability to resolve things.
-----Original Message----- From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] Sent: Friday, July 23, 2004 3:35 AM To: focus-ids () securityfocus com Subject: Alarm response strategies Hi all, May we discuss on which are the strategies that the IPS vendors use to prevent/respond from/to attacks? - When do they change a firewall rule - When to reset a connection - When to create an ACL on a router Are all of the responses used with a logical sense? Should they been used depending on the type of the attack? Only depends on the capability of each vendor? What more strategies are there? Thank you in advance, __________________________________________________ MONDRAGON UNIBERTSITATEA Urko Zurutuza Dpto. Informática Loramendi 4 - Aptdo.23 20500 Arrasate-Modragon Tel. +34 943 739636 // +34 943 794700 Ext.297 www.eps.mondragon.edu > uzurutuza () eps mondragon edu -------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
0708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Alarm response strategies (infor) urko zurutuza (Jul 25)
- RE: Alarm response strategies Rob Shein (Jul 26)
- Re: Alarm response strategies David W. Goodrum (Jul 27)
- Re: Alarm response strategies Tony Carter (Jul 27)
- RE: Alarm response strategies Frank Knobbe (Jul 27)
- RE: Alarm response strategies Rob Shein (Jul 27)
- Re: Alarm response strategies David W. Goodrum (Jul 28)
- RE: Alarm response strategies Frank Knobbe (Jul 28)
- RE: Alarm response strategies Rob Shein (Jul 26)
- <Possible follow-ups>
- RE: Alarm response strategies Joshua Berry (Jul 27)
- RE: Alarm response strategies Richard Bejtlich (Jul 28)
- RE: Alarm response strategies Joshua Berry (Jul 28)