IDS: Re: Alarm response strategies

["David W. Goodrum" <dgoodrum () nfr com>]

Don't you think you're making a poor assumption that users will simply 
setup a rule to take an action on every alert?
For example, NFR's new inline IPS device has a blackholing feature where 
we end users can choose to blackhole IP addresses that trigger certain 
alerts.  But, to do so, you must meet a number of criteria.  One of them 
being that the alert that was triggered was a TCP based alert.  i.e. we 
must have seen a full 3 way handshake and then something within that TCP 
session triggered an alert.  NFR would drop the connection and block 
future connections.  Your idea of a UDP flood would not work in this 
situation.
So, for the idea presented by Urko,  he may want to make an ACL change 
for only a specific alert, say for example NIMDA if he sees it inside 
his network.  I don't think anybody is dumb enough to make a blanket 
rule to block everything that might possibly trigger an alert.
-dave



Rob Shein wrote:

> Given the fact that IDS are prone to false alarms (and easy to make trigger
> with spoofed traffic), it's the general consensus that active responses are
> a bad idea.  For example, if I were to start scanning your network, and find
> myself suddenly blocked at the router or firewall, I would then spoof tons
> of UDP traffic from DNS servers that I believed you might use.  Your
> firewall would then block traffic from them, and bingo, I've just shut down
> your ability to resolve things.
>
>  
>
> > -----Original Message-----
> > From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] 
> > Sent: Friday, July 23, 2004 3:35 AM
> > To: focus-ids () securityfocus com
> > Subject: Alarm response strategies
> >
> >
> >  Hi all,
> >
> >    May we discuss on which are the strategies that the IPS 
> > vendors use to prevent/respond from/to attacks?
> > - When do they change a firewall rule
> > - When to reset a connection
> > - When to create an ACL on a router
> >
> >
> > Are all of the responses used with a logical sense?
> > Should they been used depending on the type of the attack?
> > Only depends on the capability of each vendor?
> > What more strategies are there?
> >
> > Thank you in advance, 
> > __________________________________________________
> > MONDRAGON UNIBERTSITATEA
> > Urko Zurutuza
> > Dpto. Informática
> > Loramendi 4 - Aptdo.23
> > 20500 Arrasate-Modragon
> > Tel. +34 943 739636 // +34 943 794700 Ext.297 
> > www.eps.mondragon.edu > uzurutuza () eps mondragon edu
> >
> >
> >
> > --------------------------------------------------------------
> > ------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world 
> > attacks from CORE IMPACT. Go to 
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
> >    
> 0708 to learn more.
> --------------------------------------------------------------------------
>
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE
> IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
> --------------------------------------------------------------------------
>
>  
--
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------