IDS responses

[<marca369 () student liu se>]

Hi all!

I'm currently trying to learn about the different repsonses an IDS can 
perform and I have trouble finding detailed information.
For those of you who don't feel like reading through the rest of the 
text I'll state my problem here:
Can anyone explain or direct me to an explanation of the SNMP Trap's 
use in active responses of intrusion detection systems?

As far as I understand, responses can traditionally be divided into two 
categories; active and passive. Active responses actively change the 
internal state of the IDS or the surrounding environment and passive 
responses deal with notifications and harvesting of information. Due to 
the upcoming intrusion prevention systems, two new categorizations 
exists; proavtive and reactive. Proactive responses takes place before 
the attack is carried out, effectively stopping it from being 
successful and reactive responses are executed during or after the 
attack. The traditional responses fall under the reactive category. So 
far so good.

Looking further into the traditional categories, several actual 
responses can be found (taken from the major IDS vendor's brochyres).

Active:
-------------
Blocking (shunning); Reconfiguration of routers/firewalls ACL lists to 
deny the attacker access.

TCP Reset; Sendning a TCP packet with the reset databit set to the 
source/target of the attack.

Disable user account; Used i host based IDS, speaks for itself.

Terminate user session; As above.

Invoke spawned process; Run a batch file, doing virtually anything.

Trace; Trace the traffic flow through to find the origin of the attack.

Redirection; Reconfigure a router to redirect the attacker into a 
honeypot/honeynet.

SNMP Trap; Reconfigure network devices?

Passive;
-------------
Display in console; Show event in the IDS GUI.

Record session; E.g. IP recording for forensic use or replay of 
attacking session.

Log; Log event with detailed attack related information in event 
database.

External notification; Email, sms, pager, etc.


As seen above the SNMP Trap explanation is not satisafctory. I have 
tried to read several RFCs and browse the Internet for detailed 
information on the subject, but come up emtpy handed. Does anyone know 
where I kind find a thourough explanation of the SNMP Trap use in 
intrusion detection? I would be more than grateful for any help on the 
subject.
Feel free to comment my list of responses if you feel it is not 
complete or if I have misunderstood anything.

Thanks!

Cheers/ Markus Carlbark