IDS responses
From: marca369@student.liu.seDate: 11/15/02
- Previous message: Chris Petersen: "RE: which IDS"
- Next in thread: Raffael Marty: "Re: IDS responses"
- Reply: Raffael Marty: "Re: IDS responses"
- Maybe reply: marca369@student.liu.se: "Re: IDS responses"
- Maybe reply: Kohlenberg, Toby: "RE: IDS responses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 Nov 2002 13:06:04 -0000 From: <marca369@student.liu.se> To: focus-ids@securityfocus.com('binary' encoding is not supported, stored as-is)
Hi all!
I'm currently trying to learn about the different repsonses an IDS can
perform and I have trouble finding detailed information.
For those of you who don't feel like reading through the rest of the
text I'll state my problem here:
Can anyone explain or direct me to an explanation of the SNMP Trap's
use in active responses of intrusion detection systems?
As far as I understand, responses can traditionally be divided into two
categories; active and passive. Active responses actively change the
internal state of the IDS or the surrounding environment and passive
responses deal with notifications and harvesting of information. Due to
the upcoming intrusion prevention systems, two new categorizations
exists; proavtive and reactive. Proactive responses takes place before
the attack is carried out, effectively stopping it from being
successful and reactive responses are executed during or after the
attack. The traditional responses fall under the reactive category. So
far so good.
Looking further into the traditional categories, several actual
responses can be found (taken from the major IDS vendor's brochyres).
Active:
-------------
Blocking (shunning); Reconfiguration of routers/firewalls ACL lists to
deny the attacker access.
TCP Reset; Sendning a TCP packet with the reset databit set to the
source/target of the attack.
Disable user account; Used i host based IDS, speaks for itself.
Terminate user session; As above.
Invoke spawned process; Run a batch file, doing virtually anything.
Trace; Trace the traffic flow through to find the origin of the attack.
Redirection; Reconfigure a router to redirect the attacker into a
honeypot/honeynet.
SNMP Trap; Reconfigure network devices?
Passive;
-------------
Display in console; Show event in the IDS GUI.
Record session; E.g. IP recording for forensic use or replay of
attacking session.
Log; Log event with detailed attack related information in event
database.
External notification; Email, sms, pager, etc.
As seen above the SNMP Trap explanation is not satisafctory. I have
tried to read several RFCs and browse the Internet for detailed
information on the subject, but come up emtpy handed. Does anyone know
where I kind find a thourough explanation of the SNMP Trap use in
intrusion detection? I would be more than grateful for any help on the
subject.
Feel free to comment my list of responses if you feel it is not
complete or if I have misunderstood anything.
Thanks!
Cheers/ Markus Carlbark
- Previous message: Chris Petersen: "RE: which IDS"
- Next in thread: Raffael Marty: "Re: IDS responses"
- Reply: Raffael Marty: "Re: IDS responses"
- Maybe reply: marca369@student.liu.se: "Re: IDS responses"
- Maybe reply: Kohlenberg, Toby: "RE: IDS responses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
