IDS: RE: Alarm response strategies

["Joshua Berry" <jberry () PENSON COM>]

Actually, most IPS' are at least combinations of signature and protocol anomaly based.  Behavioral based IPS would 
definitely be prone to false positives.  Also, signature based IPS would not cause problems due to spoofing as long as 
you are not relying on inserting firewall rules on the fly.  Having your IDS insert firewall rules is a great way to 
cause the problems Rob wrote about, but if you are using something like Snort-Inline, you are not actually creating 
firewall rules for each connection, just blocking the malicious part of the packet.

Therefore, Signature/Rule based IPS is fine used in this methd.

-----Original Message-----
From: Tony Carter [mailto:tcarter () entrusion com] 
Sent: Monday, July 26, 2004 8:50 PM
To: Rob Shein
Cc: focus-ids () securityfocus com; '(infor) urko zurutuza'
Subject: Re: Alarm response strategies

Rob,
Your argument is valid for a signature based IPS. But who makes one of  
those?? That's why you need protocol/anomaly/behavior based IPS. They  
are far less prone to false positives.  Your UDP DOS may have an impact  
on a network without proper security architecture in place but a well  
thought out design/configuration would not be vulnerable to such an  
attack.  At best you would fill up the pipe..

-Tony


On Jul 25, 2004, at 9:35 PM, Rob Shein wrote:

> Given the fact that IDS are prone to false alarms (and easy to make  
> trigger
> with spoofed traffic), it's the general consensus that active  
> responses are
> a bad idea.  For example, if I were to start scanning your network,  
> and find
> myself suddenly blocked at the router or firewall, I would then spoof  
> tons
> of UDP traffic from DNS servers that I believed you might use.  Your
> firewall would then block traffic from them, and bingo, I've just shut  
> down
> your ability to resolve things.
>
> > -----Original Message-----
> > From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu]
> > Sent: Friday, July 23, 2004 3:35 AM
> > To: focus-ids () securityfocus com
> > Subject: Alarm response strategies
> >
> >
> >   Hi all,
> >
> >     May we discuss on which are the strategies that the IPS
> > vendors use to prevent/respond from/to attacks?
> >
> > - When do they change a firewall rule
> > - When to reset a connection
> > - When to create an ACL on a router
> >
> >
> > Are all of the responses used with a logical sense?
> > Should they been used depending on the type of the attack?
> > Only depends on the capability of each vendor?
> > What more strategies are there?
> >
> > Thank you in advance,
> > __________________________________________________
> > MONDRAGON UNIBERTSITATEA
> > Urko Zurutuza
> > Dpto. Informática
> > Loramendi 4 - Aptdo.23
> > 20500 Arrasate-Modragon
> > Tel. +34 943 739636 // +34 943 794700 Ext.297
> > www.eps.mondragon.edu > uzurutuza () eps mondragon edu
> >
> >
> >
> >
> > --------------------------------------------------------------
> > ------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world
> > attacks from CORE IMPACT. Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
> 0708 to learn more.
> ----------------------------------------------------------------------- 
> ---
>
>
>
> ----------------------------------------------------------------------- 
> ---
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from  
> CORE
> IMPACT.
> Go to  
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to  
> learn more.
> ----------------------------------------------------------------------- 
> ---

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------