IDS mailing list archives
RE: Active response... some thoughts.
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Mon, 27 Jan 2003 17:26:59 -0800
-----Original Message----- From: mb_lima [mailto:mb_lima () uol com br] Sent: Monday, January 27, 2003 2:43 AM Subject: RE: Active response... some thoughts.popular nor, IMHO, effective strategy. First off, as the email mentionsbelow, the attacker can just simply hack his stack to ignoretheresets...hey, it's possible. Also, TCP-Resets can create a storm of packets I donĀ“t agree because TCP RST is sucessful to stop script kiddies. Attacks more sofisticated are few and we know that there are many ways to bypass IDS sensors (more easy ways).
Actually, TCP resets don't work in many cases- for instance any situation where you have a single packet exploit (say the Saphire worm that just ran through the Net)... This is the same problem that router/firewall reconfiguration has- by the time the response happens, the compromise is done. toby
Current thread:
- Active response... some thoughts. Abe L. Getchell (Jan 20)
- RE: Active response... some thoughts. Abe L. Getchell (Jan 23)
- Re: Active response... some thoughts. Martin Roesch (Jan 26)
- <Possible follow-ups>
- RE: Active response... some thoughts. Abe L. Getchell (Jan 26)
- RE: Active response... some thoughts. Ralph Los (Jan 26)
- RE: Active response... some thoughts. Christopher Lyon (Jan 26)
- RE: Active response... some thoughts. Alan Shimel (Jan 26)
- RE: Active response... some thoughts. Kohlenberg, Toby (Jan 28)
- RE: Active response... some thoughts. Garbrecht, Frederick (Jan 28)
- Message not available
- Re: Active response... some thoughts. Stone Cold (Jan 31)
- Message not available
- RE: Active response... some thoughts. Kohlenberg, Toby (Jan 28)
- RE: Active response... some thoughts. mb_lima (Jan 28)
- Re: Active response... some thoughts. Paul Palmer (Jan 31)
- RE: Active response... some thoughts. Rob Shein (Jan 31)
- Re: Active response... some thoughts. mb_lima (Jan 31)