IDS mailing list archives
RE: Alarm response strategies
From: "Joshua Berry" <jberry () PENSON COM>
Date: Mon, 26 Jul 2004 16:29:59 -0500
This would only be true if you are allowing the IDS to configure your firewall rules on the fly. TCP Resets are not going to completely block the connection and cause a DoS, they will only reset the malicious connection. And other inline technology like Snort-Inline just block or rewrite the malicious portion of the data. -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Sunday, July 25, 2004 8:36 PM To: '(infor) urko zurutuza'; focus-ids () securityfocus com Subject: RE: Alarm response strategies Given the fact that IDS are prone to false alarms (and easy to make trigger with spoofed traffic), it's the general consensus that active responses are a bad idea. For example, if I were to start scanning your network, and find myself suddenly blocked at the router or firewall, I would then spoof tons of UDP traffic from DNS servers that I believed you might use. Your firewall would then block traffic from them, and bingo, I've just shut down your ability to resolve things.
-----Original Message----- From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] Sent: Friday, July 23, 2004 3:35 AM To: focus-ids () securityfocus com Subject: Alarm response strategies Hi all, May we discuss on which are the strategies that the IPS vendors use to prevent/respond from/to attacks? - When do they change a firewall rule - When to reset a connection - When to create an ACL on a router Are all of the responses used with a logical sense? Should they been used depending on the type of the attack? Only depends on the capability of each vendor? What more strategies are there? Thank you in advance, __________________________________________________ MONDRAGON UNIBERTSITATEA Urko Zurutuza Dpto. Informática Loramendi 4 - Aptdo.23 20500 Arrasate-Modragon Tel. +34 943 739636 // +34 943 794700 Ext.297 www.eps.mondragon.edu > uzurutuza () eps mondragon edu -------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
0708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Alarm response strategies (infor) urko zurutuza (Jul 25)
- RE: Alarm response strategies Rob Shein (Jul 26)
- Re: Alarm response strategies David W. Goodrum (Jul 27)
- Re: Alarm response strategies Tony Carter (Jul 27)
- RE: Alarm response strategies Frank Knobbe (Jul 27)
- RE: Alarm response strategies Rob Shein (Jul 27)
- Re: Alarm response strategies David W. Goodrum (Jul 28)
- RE: Alarm response strategies Frank Knobbe (Jul 28)
- RE: Alarm response strategies Rob Shein (Jul 26)
- <Possible follow-ups>
- RE: Alarm response strategies Joshua Berry (Jul 27)
- RE: Alarm response strategies Richard Bejtlich (Jul 28)
- RE: Alarm response strategies Joshua Berry (Jul 28)