Firewall Wizards mailing list archives

Re: Automated IDS response

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Sat, 12 Feb 2000 13:38:15 -0500

On Fri, Feb 11, 2000 at 10:12:40AM -0500, Kopf , Patrick E. wrote:

Network Ice's BlackIce Defender IDS does this type of traffic blocking
(based on type of attack).  Defender only blocks traffic for attacks that
are 'non-spoofable'.  I don't know if they're the only IDS that does this or
not.


        Portsentry <www.psionic.com> does this for Unix/Linux systems
as well.  You can select what classes of services it will react to.  I
don't advice UDP or "stealth TCP" because it's spoofable, but connected
TCP port scans works great.

        Doesn't have content reaction capability though.  Shutting down
a route based on CGI script activity would be a bit much.

        Sorry...  Not a Windows product.  Works great on a Linux firewall
protecting the Windows boxen behind the firewall if you are on a cable
modem or an xDSL connection.  :-)

Pat Kopf

-----Original Message-----
From: Michael B. Rash [mailto:mbr () math umd edu]
Sent: Thursday, February 10, 2000 6:09 PM
To: firewall-wizards () nfr net
Subject: Automated IDS response

Having your IDS respond automatically to an IP that is generating
questionable traffic by dynamically managing your router ACLs (or other
similar action; tcpwrappers, ipchains, etc...) to deny all traffic from
the IP can be a risky thing to do from a DoS perspective; nmap's decoy
option comes to mind.

It would seem that any IDS should only block traffic from an IP
based on an attack signature that requires bi-directional communication,
like a CGI exploit over http/80 or something.  Are there guidelines for
deploying IDS response that discusses methods for minimizing false
positives?  Are there any *good* ways of doing this?

--Mike
http://www.math.umd.edu/~mbr


-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Current thread:

Automated IDS response Michael B. Rash (Feb 11)
- <Possible follow-ups>
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
  - Re: Automated IDS response Michael H. Warfield (Feb 14)
    - Re: Automated IDS response Michael B. Rash (Feb 14)
  - Re: Automated IDS response Andy (Feb 14)
    - Re: Automated IDS response Lance Spitzner (Feb 15)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
  - Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
- RE: Automated IDS response Russ Wolfe (Feb 16)
- RE: Automated IDS response ark (Feb 17)