Hosting Provided By

IDS responses

From: <marca369(at)student.liu.se>
Date: Fri Nov 15 2002 - 08:06:04 EST

('binary' encoding is not supported, stored as-is)

I'm currently trying to learn about the different repsonses an IDS can perform and I have trouble finding detailed information. For those of you who don't feel like reading through the rest of the text I'll state my problem here:
Can anyone explain or direct me to an explanation of the SNMP Trap's use in active responses of intrusion detection systems?

As far as I understand, responses can traditionally be divided into two categories; active and passive. Active responses actively change the internal state of the IDS or the surrounding environment and passive responses deal with notifications and harvesting of information. Due to the upcoming intrusion prevention systems, two new categorizations exists; proavtive and reactive. Proactive responses takes place before the attack is carried out, effectively stopping it from being successful and reactive responses are executed during or after the attack. The traditional responses fall under the reactive category. So far so good.

Looking further into the traditional categories, several actual responses can be found (taken from the major IDS vendor's brochyres).

Active:

Blocking (shunning); Reconfiguration of routers/firewalls ACL lists to deny the attacker access.

TCP Reset; Sendning a TCP packet with the reset databit set to the source/target of the attack.

Disable user account; Used i host based IDS, speaks for itself.

Terminate user session; As above.

Do you need help?

Invoke spawned process; Run a batch file, doing virtually anything.

Trace; Trace the traffic flow through to find the origin of the attack.

Redirection; Reconfigure a router to redirect the attacker into a honeypot/honeynet.

SNMP Trap; Reconfigure network devices?

Passive;

Display in console; Show event in the IDS GUI.

Record session; E.g. IP recording for forensic use or replay of attacking session.

Log; Log event with detailed attack related information in event database.

External notification; Email, sms, pager, etc.

Do you need more help?

As seen above the SNMP Trap explanation is not satisafctory. I have tried to read several RFCs and browse the Internet for detailed information on the subject, but come up emtpy handed. Does anyone know where I kind find a thourough explanation of the SNMP Trap use in intrusion detection? I would be more than grateful for any help on the subject.
Feel free to comment my list of responses if you feel it is not complete or if I have misunderstood anything.

Thanks!

Cheers/ Markus Carlbark Received on Sat Nov 16 03:32:24 2002

This message: [ Message body ]
Next message: spy guy: "how to build an inline ids?"
Previous message: Chris Petersen: "RE: which IDS"
Next in thread: Raffael Marty: "Re: IDS responses"
Reply: Raffael Marty: "Re: IDS responses"
Reply: Kohlenberg, Toby: "RE: IDS responses"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:04 EDT