RE: Alarm response strategies

["Joshua Berry" <jberry () PENSON COM>]

This would only be true if you are allowing the IDS to configure your firewall rules on the fly.  TCP Resets are not 
going to completely block the connection and cause a DoS, they will only reset the malicious connection.  And other 
inline technology like Snort-Inline just block or rewrite the malicious portion of the data.

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Sunday, July 25, 2004 8:36 PM
To: '(infor) urko zurutuza'; focus-ids () securityfocus com
Subject: RE: Alarm response strategies

Given the fact that IDS are prone to false alarms (and easy to make trigger
with spoofed traffic), it's the general consensus that active responses are
a bad idea.  For example, if I were to start scanning your network, and find
myself suddenly blocked at the router or firewall, I would then spoof tons
of UDP traffic from DNS servers that I believed you might use.  Your
firewall would then block traffic from them, and bingo, I've just shut down
your ability to resolve things.

> -----Original Message-----
> From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] 
> Sent: Friday, July 23, 2004 3:35 AM
> To: focus-ids () securityfocus com
> Subject: Alarm response strategies
>
>
>   Hi all,
>
>     May we discuss on which are the strategies that the IPS 
> vendors use to prevent/respond from/to attacks?
>
> - When do they change a firewall rule
> - When to reset a connection
> - When to create an ACL on a router
>
>
> Are all of the responses used with a logical sense?
> Should they been used depending on the type of the attack?
> Only depends on the capability of each vendor?
> What more strategies are there?
>
> Thank you in advance, 
> __________________________________________________
> MONDRAGON UNIBERTSITATEA
> Urko Zurutuza
> Dpto. Informática
> Loramendi 4 - Aptdo.23
> 20500 Arrasate-Modragon
> Tel. +34 943 739636 // +34 943 794700 Ext.297 
> www.eps.mondragon.edu > uzurutuza () eps mondragon edu
>
>
>
>
> --------------------------------------------------------------
> ------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world 
> attacks from CORE IMPACT. Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
0708 to learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------