Automated IDS response

From: Michael B. Rash (mbrat_private)
Date: Thu Feb 10 2000 - 15:08:36 PST

Next message: SF BA: "Citrix ICA through port 80?"

Previous message: Ben Nagy: "RE: Cisco configuration question"
Next in thread: Kopf , Patrick E.: "RE: Automated IDS response"
Reply: Kopf , Patrick E.: "RE: Automated IDS response"
Reply: Robert Graham: "RE: Automated IDS response"
Reply: Michael H. Warfield: "Re: Automated IDS response"
Reply: Andy: "Re: Automated IDS response"
Reply: Michael B. Rash: "Re: Automated IDS response"
Reply: Crumrine, Gary L: "RE: Automated IDS response"
Reply: Lance Spitzner: "Re: Automated IDS response"
Reply: Marcus J. Ranum: "RE: Automated IDS response"
Reply: Robert Graham: "RE: Automated IDS response"
Reply: Russ Wolfe: "RE: Automated IDS response"
Reply: Paul Cardon: "Re: Automated IDS response"
Reply: arkat_private: "RE: Automated IDS response"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Having your IDS respond automatically to an IP that is generating
questionable traffic by dynamically managing your router ACLs (or other
similar action; tcpwrappers, ipchains, etc...) to deny all traffic from
the IP can be a risky thing to do from a DoS perspective; nmap's decoy
option comes to mind.

It would seem that any IDS should only block traffic from an IP
based on an attack signature that requires bi-directional communication,
like a CGI exploit over http/80 or something.  Are there guidelines for
deploying IDS response that discusses methods for minimizing false
positives?  Are there any *good* ways of doing this?

--Mike
http://www.math.umd.edu/~mbr

Next message: SF BA: "Citrix ICA through port 80?"
Previous message: Ben Nagy: "RE: Cisco configuration question"
Next in thread: Kopf , Patrick E.: "RE: Automated IDS response"
Reply: Kopf , Patrick E.: "RE: Automated IDS response"
Reply: Robert Graham: "RE: Automated IDS response"
Reply: Michael H. Warfield: "Re: Automated IDS response"
Reply: Andy: "Re: Automated IDS response"
Reply: Michael B. Rash: "Re: Automated IDS response"
Reply: Crumrine, Gary L: "RE: Automated IDS response"
Reply: Lance Spitzner: "Re: Automated IDS response"
Reply: Marcus J. Ranum: "RE: Automated IDS response"
Reply: Robert Graham: "RE: Automated IDS response"
Reply: Russ Wolfe: "RE: Automated IDS response"
Reply: Paul Cardon: "Re: Automated IDS response"
Reply: arkat_private: "RE: Automated IDS response"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:03 PDT