IDS mailing list archives
RE: Alarm response strategies
From: "Joshua Berry" <jberry () PENSON COM>
Date: Tue, 27 Jul 2004 08:36:00 -0500
Actually, most IPS' are at least combinations of signature and protocol anomaly based. Behavioral based IPS would definitely be prone to false positives. Also, signature based IPS would not cause problems due to spoofing as long as you are not relying on inserting firewall rules on the fly. Having your IDS insert firewall rules is a great way to cause the problems Rob wrote about, but if you are using something like Snort-Inline, you are not actually creating firewall rules for each connection, just blocking the malicious part of the packet. Therefore, Signature/Rule based IPS is fine used in this methd. -----Original Message----- From: Tony Carter [mailto:tcarter () entrusion com] Sent: Monday, July 26, 2004 8:50 PM To: Rob Shein Cc: focus-ids () securityfocus com; '(infor) urko zurutuza' Subject: Re: Alarm response strategies Rob, Your argument is valid for a signature based IPS. But who makes one of those?? That's why you need protocol/anomaly/behavior based IPS. They are far less prone to false positives. Your UDP DOS may have an impact on a network without proper security architecture in place but a well thought out design/configuration would not be vulnerable to such an attack. At best you would fill up the pipe.. -Tony On Jul 25, 2004, at 9:35 PM, Rob Shein wrote:
Given the fact that IDS are prone to false alarms (and easy to make trigger with spoofed traffic), it's the general consensus that active responses are a bad idea. For example, if I were to start scanning your network, and find myself suddenly blocked at the router or firewall, I would then spoof tons of UDP traffic from DNS servers that I believed you might use. Your firewall would then block traffic from them, and bingo, I've just shut down your ability to resolve things.-----Original Message----- From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] Sent: Friday, July 23, 2004 3:35 AM To: focus-ids () securityfocus com Subject: Alarm response strategies Hi all, May we discuss on which are the strategies that the IPS vendors use to prevent/respond from/to attacks? - When do they change a firewall rule - When to reset a connection - When to create an ACL on a router Are all of the responses used with a logical sense? Should they been used depending on the type of the attack? Only depends on the capability of each vendor? What more strategies are there? Thank you in advance, __________________________________________________ MONDRAGON UNIBERTSITATEA Urko Zurutuza Dpto. Informática Loramendi 4 - Aptdo.23 20500 Arrasate-Modragon Tel. +34 943 739636 // +34 943 794700 Ext.297 www.eps.mondragon.edu > uzurutuza () eps mondragon edu -------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ----------------------------------------------------------------------- --- ----------------------------------------------------------------------- --- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ----------------------------------------------------------------------- ---
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Alarm response strategies (infor) urko zurutuza (Jul 25)
- RE: Alarm response strategies Rob Shein (Jul 26)
- Re: Alarm response strategies David W. Goodrum (Jul 27)
- Re: Alarm response strategies Tony Carter (Jul 27)
- RE: Alarm response strategies Frank Knobbe (Jul 27)
- RE: Alarm response strategies Rob Shein (Jul 27)
- Re: Alarm response strategies David W. Goodrum (Jul 28)
- RE: Alarm response strategies Frank Knobbe (Jul 28)
- RE: Alarm response strategies Rob Shein (Jul 26)
- <Possible follow-ups>
- RE: Alarm response strategies Joshua Berry (Jul 27)
- RE: Alarm response strategies Richard Bejtlich (Jul 28)
- RE: Alarm response strategies Joshua Berry (Jul 28)