IDS mailing list archives
RE: Active response... some thoughts.
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 11 Feb 2003 12:06:23 -0500
I think the "all-or-nothing" attitude (well put, btw) comes from experience with clients, who often take multi-part, comprehensive solutions and merely implement the one piece that they think will do the job for them. We've all seen it...the bean-counters come in and before you know it, you're trying to explain why they need everything you told them, not just the one thing that (on the surface, through non-technical eyes that don't know TCP from UDP) looks like a magic bullet. Indeed, even with technical eyes, I seem to remember some posts back during a heated discussion about IPS a few months back where some seemed to think it was more of a solution than it really is at this point.
-----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Saturday, February 08, 2003 7:32 PM To: andre Cc: Ralph Los; lists () isecom org; 'Focus-IDS' Subject: Re: Active response... some thoughts. On Sat, 2003-02-08 at 15:50, andre wrote:What about blocking only a few certain attacks, that could not be easily spoofed. Such like HTTP vulnerabilities and othersthat need acomplete handshake to work.Thank you for bringing this up. I'm a bit angered by all-or-nothing attitude. As you correctly said, active response doesn't need to happen to any and all signatures, or rule violations. Active response (of any kind) have their risks, but they can be implemented in such a fashion that the risk are bearable, and at a point were they are worthwhile implementing. White-lists are one approach, another is adding 'intelligence' so that the active response can stop by itself. I have tried to implement that in SnortSam by implementation of simple thresholds. Once a threshold (of responses) exceeds a certain level, SnortSam will undo the last blocks (it modifies firewalls and routers) and then fall silent, or passive, until the level of requests falls below threshold level, and then some (additional time). It's all a matter of checks'n'balances. Imho, programs _can_ be written to avoid race conditions or situation where they might get a locked in a loop (like responding to the response of other IDSs.... that was a nice example). The idea of implementing safety measures and self-destruct levers seems to fall short in the race to market with fancy software these days... Regards, Frank
Current thread:
- RE: Active response... some thoughts., (continued)
- RE: Active response... some thoughts. Rob McMillen (Feb 06)
- Re: Active response... some thoughts. Ali Saifullah Khan (Feb 05)
- RE: Active response... some thoughts. Abe L. Getchell (Feb 06)
- Re: Active response... some thoughts. fr0ck9 (Feb 05)
- RE: Active response... some thoughts. Rob Shein (Feb 07)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. SecurityFocus (Feb 10)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. andre (Feb 08)
- Re: Active response... some thoughts. Frank Knobbe (Feb 10)
- RE: Active response... some thoughts. Rob Shein (Feb 11)
- Re: Active response... some thoughts. andre (Feb 08)
- Re: Active response... some thoughts. mb_lima (Feb 11)
- RE: Active response... some thoughts. Steven Richards (Feb 12)