Firewall Wizards mailing list archives
Automated IDS response
From: "Michael B. Rash" <mbr () math umd edu>
Date: Thu, 10 Feb 2000 18:08:36 -0500 (EST)
Having your IDS respond automatically to an IP that is generating questionable traffic by dynamically managing your router ACLs (or other similar action; tcpwrappers, ipchains, etc...) to deny all traffic from the IP can be a risky thing to do from a DoS perspective; nmap's decoy option comes to mind. It would seem that any IDS should only block traffic from an IP based on an attack signature that requires bi-directional communication, like a CGI exploit over http/80 or something. Are there guidelines for deploying IDS response that discusses methods for minimizing false positives? Are there any *good* ways of doing this? --Mike http://www.math.umd.edu/~mbr
Current thread:
- Automated IDS response Michael B. Rash (Feb 11)
- <Possible follow-ups>
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- Re: Automated IDS response Michael B. Rash (Feb 14)
- Re: Automated IDS response Andy (Feb 14)
- Re: Automated IDS response Lance Spitzner (Feb 15)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
- Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
(Thread continues...)