Re: Alarm response strategies

From: David W. Goodrum (dgoodrum_at_nfr.com)
Date: 07/26/04

  • Next message: Jason J. W. Williams: "RE: Fortinet IDS" 
    Date: Mon, 26 Jul 2004 17:55:46 -0400
To: Rob Shein <shoten@starpower.net>

    Don't you think you're making a poor assumption that users will simply
    setup a rule to take an action on every alert?

    For example, NFR's new inline IPS device has a blackholing feature where
    we end users can choose to blackhole IP addresses that trigger certain
    alerts. But, to do so, you must meet a number of criteria. One of them
    being that the alert that was triggered was a TCP based alert. i.e. we
    must have seen a full 3 way handshake and then something within that TCP
    session triggered an alert. NFR would drop the connection and block
    future connections. Your idea of a UDP flood would not work in this
    situation.

    So, for the idea presented by Urko, he may want to make an ACL change
    for only a specific alert, say for example NIMDA if he sees it inside
    his network. I don't think anybody is dumb enough to make a blanket
    rule to block everything that might possibly trigger an alert.

    -dave

    Rob Shein wrote:

    >Given the fact that IDS are prone to false alarms (and easy to make trigger
    >with spoofed traffic), it's the general consensus that active responses are
    >a bad idea. For example, if I were to start scanning your network, and find
    >myself suddenly blocked at the router or firewall, I would then spoof tons
    >of UDP traffic from DNS servers that I believed you might use. Your
    >firewall would then block traffic from them, and bingo, I've just shut down
    >your ability to resolve things.
    >
    >
    >
    >>-----Original Message-----
    >>From: (infor) urko zurutuza [mailto:uzurutuza@eps.mondragon.edu]
    >>Sent: Friday, July 23, 2004 3:35 AM
    >>To: focus-ids@securityfocus.com
    >>Subject: Alarm response strategies
    >>
    >>
    >> Hi all,
    >>
    >> May we discuss on which are the strategies that the IPS
    >>vendors use to prevent/respond from/to attacks?
    >>
    >>- When do they change a firewall rule
    >>- When to reset a connection
    >>- When to create an ACL on a router
    >>
    >>
    >>Are all of the responses used with a logical sense?
    >>Should they been used depending on the type of the attack?
    >>Only depends on the capability of each vendor?
    >>What more strategies are there?
    >>
    >>Thank you in advance,
    >>__________________________________________________
    >>MONDRAGON UNIBERTSITATEA
    >>Urko Zurutuza
    >>Dpto. Informática
    >>Loramendi 4 - Aptdo.23
    >>20500 Arrasate-Modragon
    >>Tel. +34 943 739636 // +34 943 794700 Ext.297
    >>www.eps.mondragon.edu > uzurutuza@eps.mondragon.edu
    >>
    >>
    >>
    >>
    >>--------------------------------------------------------------
    >>------------
    >>Test Your IDS
    >>
    >>Is your IDS deployed correctly?
    >>Find out quickly and easily by testing it with real-world
    >>attacks from CORE IMPACT. Go to
    >>http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
    >>
    >>
    >0708 to learn more.
    >--------------------------------------------------------------------------
    >
    >
    >
    >--------------------------------------------------------------------------
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it with real-world attacks from CORE
    >IMPACT.
    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    >--------------------------------------------------------------------------
    >
    >
    > 

    -- 
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
  • Next message: Jason J. W. Williams: "RE: Fortinet IDS"

    Relevant Pages

    • RE: memory counters and monitoring - confused?
      ... Regarding the alert will be triggered randomly, ... This newsgroup only focuses on SBS technical issues. ... memory counters and monitoring - confused? ... | over a trigger level for memory alerts, then I should have an alert every ...
      (microsoft.public.windows.server.sbs)
    • Re: How to audit logons from external IPs?
      ... I think you might want to look at something like the IDS at www.snort.org ... > My idea was to use the Performance Monitor to trigger the Alert, Logon ...
      (microsoft.public.win2000.security)
    • Re: Oracle Forms 9 Problem
      ... record block (does not allow updates or deletes from it). ... But when I try to use the following trigger on a Save button which is ... section because the show never turns true and the alert never fires so ... multi-line block and the if statement not knowing the current record. ...
      (comp.databases.oracle.tools)
    • Re: Encrypting Harddisk?
      ... >> Covering the camera should trigger the remote alert and the local ... If there's that level of interruption, you wipe the ... Didn't you mean that it will alert YOU by phone? ... goes up in your alert center and you call the remote location, ...
      (comp.os.linux.security)
    • RE: SHELLCODE x86 NOOP
      ... The .ida alert in this case is a misfiring alert. ... binary attachment to an email could trigger this if you are running a ... > Subject: SHELLCODE x86 NOOP ...
      (Incidents)
    Loading