Re: IDS responses

[<marca369 () student liu se>]

In-Reply-To: <009501c28e69$a5b09a80$438990d5 () ch ema ad pwcinternal com>

> > Can anyone explain or direct me to an explanation of the SNMP Trap's
> > use in active responses of intrusion detection systems?
>
> See answer below
>
> > SNMP Trap; Reconfigure network devices?
>
> SNMP Traps can be used on a sensor to send asynchronous messages to a
> console. These messages are not sent to network devices. The console on 
its
> end might then reconfigure the network device (probably via SNMP again, 
but
> not TRAPS, but an SNMP SET). I think this is all the magic that is behind
> this.

So, as far as I understand, what vendors mean by stating their products 
support "SNMP Trap" is the same as supporting blocking or shunning 
(reconfiguring router/firewall ACLs)? Using SNMP for sending event 
messages to the IDS console wouldnt be very smart since its a 
connectionless protocol (UDP) and the traffic is unencrypted.

/Markus