IDS mailing list archives

RE: Alarm response strategies

From: "Joshua Berry" <jberry () PENSON COM>
Date: Tue, 27 Jul 2004 08:36:00 -0500

Actually, most IPS' are at least combinations of signature and protocol anomaly based.  Behavioral based IPS would 
definitely be prone to false positives.  Also, signature based IPS would not cause problems due to spoofing as long as 
you are not relying on inserting firewall rules on the fly.  Having your IDS insert firewall rules is a great way to 
cause the problems Rob wrote about, but if you are using something like Snort-Inline, you are not actually creating 
firewall rules for each connection, just blocking the malicious part of the packet.

Therefore, Signature/Rule based IPS is fine used in this methd.

-----Original Message-----
From: Tony Carter [mailto:tcarter () entrusion com] 
Sent: Monday, July 26, 2004 8:50 PM
To: Rob Shein
Cc: focus-ids () securityfocus com; '(infor) urko zurutuza'
Subject: Re: Alarm response strategies

Rob,
Your argument is valid for a signature based IPS. But who makes one of  
those?? That's why you need protocol/anomaly/behavior based IPS. They  
are far less prone to false positives.  Your UDP DOS may have an impact  
on a network without proper security architecture in place but a well  
thought out design/configuration would not be vulnerable to such an  
attack.  At best you would fill up the pipe..

-Tony


On Jul 25, 2004, at 9:35 PM, Rob Shein wrote:

Given the fact that IDS are prone to false alarms (and easy to make  
trigger
with spoofed traffic), it's the general consensus that active  
responses are
a bad idea.  For example, if I were to start scanning your network,  
and find
myself suddenly blocked at the router or firewall, I would then spoof  
tons
of UDP traffic from DNS servers that I believed you might use.  Your
firewall would then block traffic from them, and bingo, I've just shut  
down
your ability to resolve things.

-----Original Message-----
From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu]
Sent: Friday, July 23, 2004 3:35 AM
To: focus-ids () securityfocus com
Subject: Alarm response strategies

  Hi all,

    May we discuss on which are the strategies that the IPS
vendors use to prevent/respond from/to attacks?

- When do they change a firewall rule
- When to reset a connection
- When to create an ACL on a router

Are all of the responses used with a logical sense?
Should they been used depending on the type of the attack?
Only depends on the capability of each vendor?
What more strategies are there?

Thank you in advance,
__________________________________________________
MONDRAGON UNIBERTSITATEA
Urko Zurutuza
Dpto. Informática
Loramendi 4 - Aptdo.23
20500 Arrasate-Modragon
Tel. +34 943 739636 // +34 943 794700 Ext.297
www.eps.mondragon.edu > uzurutuza () eps mondragon edu

--------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04

0708 to learn more.
----------------------------------------------------------------------- 
---



----------------------------------------------------------------------- 
---
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from  
CORE
IMPACT.
Go to  
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to  
learn more.
----------------------------------------------------------------------- 
---



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

Alarm response strategies (infor) urko zurutuza (Jul 25)
- RE: Alarm response strategies Rob Shein (Jul 26)
  - Re: Alarm response strategies David W. Goodrum (Jul 27)
  - Re: Alarm response strategies Tony Carter (Jul 27)
  - RE: Alarm response strategies Frank Knobbe (Jul 27)
    - RE: Alarm response strategies Rob Shein (Jul 27)
    - Re: Alarm response strategies David W. Goodrum (Jul 28)
    - RE: Alarm response strategies Frank Knobbe (Jul 28)
- <Possible follow-ups>
- RE: Alarm response strategies Joshua Berry (Jul 27)
- RE: Alarm response strategies Richard Bejtlich (Jul 28)
- RE: Alarm response strategies Joshua Berry (Jul 28)