RE: IDS that retaliates.

From: Brad.Dunn@Intelsat.com
Date: 03/06/02

• Previous message: Greg Shipley: "RE: Use of Taps for IDS"
• Maybe in reply to: charles.skoglund@om.com: "IDS that retaliates."
• Next in thread: Carr, Aaron [CNTUS]: "RE: IDS that retaliates."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Brad.Dunn@Intelsat.com
To: Keith.McCammon@eadvancemed.com, charles.skoglund@om.com, security-basics@securityfocus.com, focus-ids@securityfocus.com
Date: Wed, 6 Mar 2002 08:41:04 -0500 

Agreed. Plus, you can't go launching counter-attacks when most of the time
the machine you would be attacking was not at fault. It's been spoofed in
some way shape or form. Therefore, you would be taking down an innocent
network.

-----Original Message-----
From: McCammon, Keith [mailto:Keith.McCammon@eadvancemed.com]
Sent: Tuesday, March 05, 2002 3:00 PM
To: charles.skoglund@om.com; security-basics@securityfocus.com;
focus-ids@securityfocus.com
Subject: RE: IDS that retaliates.

This is generally referred to as Active Response. In most cases
(commercial IDS), this involves the IDS sending TCP RST packets to both
ends of the connection so that the connection is destroyed and cleared
from the buffers. This is also the extent to which most
commercially-available IDSs "retaliate." Snort does this, as do ISS and
several other popular systems.

Now if you're referring to launching counter-attacks or similar
offensives in response to alerts, this isn't going to go mainstream in
the near future. There are a number of reasons for this, but most
notably is the fact that (in the U.S., anyway) intrusive retaliation is,
technically, every bit as illegal as the act that provoked it in the
first place.

I, too, have heard of government and defense projects that are
developing (and refining) intrusive response of technology, but realize
that the details of such systems would not likely be publicized.

############################################################
This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and
destroy all copies of the original message. Any views
expressed in this message are those of the individual
sender, except where the sender specifically states them
to be the views of Intelsat, Ltd. and its subsidiaries.
############################################################

---

• Previous message: Greg Shipley: "RE: Use of Taps for IDS"
• Maybe in reply to: charles.skoglund@om.com: "IDS that retaliates."
• Next in thread: Carr, Aaron [CNTUS]: "RE: IDS that retaliates."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: IDS that retaliates. ... you can't go launching counter-attacks when most of the time ... Subject: IDS that retaliates. ... This is generally referred to as Active Response. ... sender, except where the sender specifically states them ... (Security-Basics) RE: IDS that retaliates. ... Subject: IDS that retaliates. ... This is generally referred to as Active Response. ... sender, except where the sender specifically states them ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-03