Network Ice's BlackIce Defender IDS does this type of traffic blocking (based on type of attack). Defender only blocks traffic for attacks that are 'non-spoofable'. I don't know if they're the only IDS that does this or not. Pat Kopf -----Original Message----- From: Michael B. Rash [mailto:mbrat_private] Sent: Thursday, February 10, 2000 6:09 PM To: firewall-wizardsat_private Subject: Automated IDS response Having your IDS respond automatically to an IP that is generating questionable traffic by dynamically managing your router ACLs (or other similar action; tcpwrappers, ipchains, etc...) to deny all traffic from the IP can be a risky thing to do from a DoS perspective; nmap's decoy option comes to mind. It would seem that any IDS should only block traffic from an IP based on an attack signature that requires bi-directional communication, like a CGI exploit over http/80 or something. Are there guidelines for deploying IDS response that discusses methods for minimizing false positives? Are there any *good* ways of doing this? --Mike http://www.math.umd.edu/~mbr
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:08 PDT