Firewall Wizards mailing list archives
RE: Automated IDS response
From: "Kopf , Patrick E." <PEKopf () missi ncsc mil>
Date: Fri, 11 Feb 2000 10:12:40 -0500
Network Ice's BlackIce Defender IDS does this type of traffic blocking (based on type of attack). Defender only blocks traffic for attacks that are 'non-spoofable'. I don't know if they're the only IDS that does this or not. Pat Kopf -----Original Message----- From: Michael B. Rash [mailto:mbr () math umd edu] Sent: Thursday, February 10, 2000 6:09 PM To: firewall-wizards () nfr net Subject: Automated IDS response Having your IDS respond automatically to an IP that is generating questionable traffic by dynamically managing your router ACLs (or other similar action; tcpwrappers, ipchains, etc...) to deny all traffic from the IP can be a risky thing to do from a DoS perspective; nmap's decoy option comes to mind. It would seem that any IDS should only block traffic from an IP based on an attack signature that requires bi-directional communication, like a CGI exploit over http/80 or something. Are there guidelines for deploying IDS response that discusses methods for minimizing false positives? Are there any *good* ways of doing this? --Mike http://www.math.umd.edu/~mbr
Current thread:
- Automated IDS response Michael B. Rash (Feb 11)
- <Possible follow-ups>
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- Re: Automated IDS response Michael B. Rash (Feb 14)
- Re: Automated IDS response Andy (Feb 14)
- Re: Automated IDS response Lance Spitzner (Feb 15)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
- Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
- RE: Automated IDS response Russ Wolfe (Feb 16)
(Thread continues...)