Firewall Wizards mailing list archives

RE: Automated IDS response

From: "Kopf , Patrick E." <PEKopf () missi ncsc mil>
Date: Fri, 11 Feb 2000 10:12:40 -0500

Network Ice's BlackIce Defender IDS does this type of traffic blocking
(based on type of attack).  Defender only blocks traffic for attacks that
are 'non-spoofable'.  I don't know if they're the only IDS that does this or
not.

Pat Kopf

-----Original Message-----
From: Michael B. Rash [mailto:mbr () math umd edu]
Sent: Thursday, February 10, 2000 6:09 PM
To: firewall-wizards () nfr net
Subject: Automated IDS response



Having your IDS respond automatically to an IP that is generating
questionable traffic by dynamically managing your router ACLs (or other
similar action; tcpwrappers, ipchains, etc...) to deny all traffic from
the IP can be a risky thing to do from a DoS perspective; nmap's decoy
option comes to mind.

It would seem that any IDS should only block traffic from an IP
based on an attack signature that requires bi-directional communication,
like a CGI exploit over http/80 or something.  Are there guidelines for
deploying IDS response that discusses methods for minimizing false
positives?  Are there any *good* ways of doing this?

--Mike
http://www.math.umd.edu/~mbr

Current thread:

Automated IDS response Michael B. Rash (Feb 11)
- <Possible follow-ups>
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
  - Re: Automated IDS response Michael H. Warfield (Feb 14)
    - Re: Automated IDS response Michael B. Rash (Feb 14)
  - Re: Automated IDS response Andy (Feb 14)
    - Re: Automated IDS response Lance Spitzner (Feb 15)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
  - Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
- RE: Automated IDS response Russ Wolfe (Feb 16)

(Thread continues...)