On Fri, Feb 11, 2000 at 10:12:40AM -0500, Kopf , Patrick E. wrote: > Network Ice's BlackIce Defender IDS does this type of traffic blocking > (based on type of attack). Defender only blocks traffic for attacks that > are 'non-spoofable'. I don't know if they're the only IDS that does this or > not. Portsentry <www.psionic.com> does this for Unix/Linux systems as well. You can select what classes of services it will react to. I don't advice UDP or "stealth TCP" because it's spoofable, but connected TCP port scans works great. Doesn't have content reaction capability though. Shutting down a route based on CGI script activity would be a bit much. Sorry... Not a Windows product. Works great on a Linux firewall protecting the Windows boxen behind the firewall if you are on a cable modem or an xDSL connection. :-) > Pat Kopf > -----Original Message----- > From: Michael B. Rash [mailto:mbrat_private] > Sent: Thursday, February 10, 2000 6:09 PM > To: firewall-wizardsat_private > Subject: Automated IDS response > > > > Having your IDS respond automatically to an IP that is generating > questionable traffic by dynamically managing your router ACLs (or other > similar action; tcpwrappers, ipchains, etc...) to deny all traffic from > the IP can be a risky thing to do from a DoS perspective; nmap's decoy > option comes to mind. > > It would seem that any IDS should only block traffic from an IP > based on an attack signature that requires bi-directional communication, > like a CGI exploit over http/80 or something. Are there guidelines for > deploying IDS response that discusses methods for minimizing false > positives? Are there any *good* ways of doing this? > > --Mike > http://www.math.umd.edu/~mbr -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:19 PDT