IDS mailing list archives
Re: Alarm response strategies
From: Tony Carter <tcarter () entrusion com>
Date: Mon, 26 Jul 2004 21:50:16 -0400
Rob,Your argument is valid for a signature based IPS. But who makes one of those?? That's why you need protocol/anomaly/behavior based IPS. They are far less prone to false positives. Your UDP DOS may have an impact on a network without proper security architecture in place but a well thought out design/configuration would not be vulnerable to such an attack. At best you would fill up the pipe..
-Tony On Jul 25, 2004, at 9:35 PM, Rob Shein wrote:
Given the fact that IDS are prone to false alarms (and easy to make trigger with spoofed traffic), it's the general consensus that active responses are a bad idea. For example, if I were to start scanning your network, and find myself suddenly blocked at the router or firewall, I would then spoof tonsof UDP traffic from DNS servers that I believed you might use. Yourfirewall would then block traffic from them, and bingo, I've just shut downyour ability to resolve things.-----Original Message----- From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] Sent: Friday, July 23, 2004 3:35 AM To: focus-ids () securityfocus com Subject: Alarm response strategies Hi all, May we discuss on which are the strategies that the IPS vendors use to prevent/respond from/to attacks? - When do they change a firewall rule - When to reset a connection - When to create an ACL on a router Are all of the responses used with a logical sense? Should they been used depending on the type of the attack? Only depends on the capability of each vendor? What more strategies are there? Thank you in advance, __________________________________________________ MONDRAGON UNIBERTSITATEA Urko Zurutuza Dpto. Informática Loramendi 4 - Aptdo.23 20500 Arrasate-Modragon Tel. +34 943 739636 // +34 943 794700 Ext.297 www.eps.mondragon.edu > uzurutuza () eps mondragon edu -------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.----------------------------------------------------------------------- -------------------------------------------------------------------------- ---Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from COREIMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ----------------------------------------------------------------------- ---
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Alarm response strategies (infor) urko zurutuza (Jul 25)
- RE: Alarm response strategies Rob Shein (Jul 26)
- Re: Alarm response strategies David W. Goodrum (Jul 27)
- Re: Alarm response strategies Tony Carter (Jul 27)
- RE: Alarm response strategies Frank Knobbe (Jul 27)
- RE: Alarm response strategies Rob Shein (Jul 27)
- Re: Alarm response strategies David W. Goodrum (Jul 28)
- RE: Alarm response strategies Frank Knobbe (Jul 28)
- RE: Alarm response strategies Rob Shein (Jul 26)
- <Possible follow-ups>
- RE: Alarm response strategies Joshua Berry (Jul 27)
- RE: Alarm response strategies Richard Bejtlich (Jul 28)
- RE: Alarm response strategies Joshua Berry (Jul 28)