IDS mailing list archives
Re: Alarm response strategies
From: "David W. Goodrum" <dgoodrum () nfr com>
Date: Mon, 26 Jul 2004 17:55:46 -0400
Don't you think you're making a poor assumption that users will simply setup a rule to take an action on every alert?
For example, NFR's new inline IPS device has a blackholing feature where we end users can choose to blackhole IP addresses that trigger certain alerts. But, to do so, you must meet a number of criteria. One of them being that the alert that was triggered was a TCP based alert. i.e. we must have seen a full 3 way handshake and then something within that TCP session triggered an alert. NFR would drop the connection and block future connections. Your idea of a UDP flood would not work in this situation.
So, for the idea presented by Urko, he may want to make an ACL change for only a specific alert, say for example NIMDA if he sees it inside his network. I don't think anybody is dumb enough to make a blanket rule to block everything that might possibly trigger an alert.
-dave Rob Shein wrote:
Given the fact that IDS are prone to false alarms (and easy to make trigger with spoofed traffic), it's the general consensus that active responses are a bad idea. For example, if I were to start scanning your network, and find myself suddenly blocked at the router or firewall, I would then spoof tons of UDP traffic from DNS servers that I believed you might use. Your firewall would then block traffic from them, and bingo, I've just shut down your ability to resolve things.-----Original Message-----From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] Sent: Friday, July 23, 2004 3:35 AMTo: focus-ids () securityfocus com Subject: Alarm response strategies Hi all,May we discuss on which are the strategies that the IPS vendors use to prevent/respond from/to attacks?- When do they change a firewall rule - When to reset a connection - When to create an ACL on a router Are all of the responses used with a logical sense? Should they been used depending on the type of the attack? Only depends on the capability of each vendor? What more strategies are there?Thank you in advance, __________________________________________________MONDRAGON UNIBERTSITATEA Urko Zurutuza Dpto. Informática Loramendi 4 - Aptdo.23 20500 Arrasate-ModragonTel. +34 943 739636 // +34 943 794700 Ext.297 www.eps.mondragon.edu > uzurutuza () eps mondragon edu-------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-- David W. Goodrum Senior Systems Engineer NFR Security 703.731.3765 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Alarm response strategies (infor) urko zurutuza (Jul 25)
- RE: Alarm response strategies Rob Shein (Jul 26)
- Re: Alarm response strategies David W. Goodrum (Jul 27)
- Re: Alarm response strategies Tony Carter (Jul 27)
- RE: Alarm response strategies Frank Knobbe (Jul 27)
- RE: Alarm response strategies Rob Shein (Jul 27)
- Re: Alarm response strategies David W. Goodrum (Jul 28)
- RE: Alarm response strategies Frank Knobbe (Jul 28)
- RE: Alarm response strategies Rob Shein (Jul 26)
- <Possible follow-ups>
- RE: Alarm response strategies Joshua Berry (Jul 27)
- RE: Alarm response strategies Richard Bejtlich (Jul 28)
- RE: Alarm response strategies Joshua Berry (Jul 28)