Re: Active response... some thoughts.

Hi Toby (LTNS)
I'd agree, there are some risks with active response. The best one I have seen so far is when an analyst wrote a funky little signature that reset ALL TCP, now known as the "clear your desk and go home signature". However, we were also inband reporting, guess what, the only way to stop it was to jump in a car and drive over there and unplug the box.

Another problem with crafted resets through the stealth interface is being able to convince the security accreditors that your IDS is not bypassing the firewall.
I have recently seen one of the vendors produce a Stealthy inline TAP that allows crafted resets to be inserted back through the TAP. As I have mentioned their name quite a bit over the past few weeks and I wish to appear unbiased please contact me off list for further information.

Going back to the original post I think Ron's solution (as always) holds a lot of merit and is used by at least one other vendor. Though Marty's solution of sending back at the TTL of the offending packet is cool, though I would add a few. I'm sure SecureNetPro crafts and sends the resets both ways through the stealth interface.

take care
-andy

Taliskers Network Security Tools
http://www.networkintrusion.co.uk
----- Original Message -----
From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com> To: "Ron Gula" <ronald.gula@verizon.net>; <focus-ids@securityfocus.com> Sent: Friday, January 24, 2003 1:45 AM
Subject: RE: Active response... some thoughts.

I looked at the whole active response thing a while ago and have yet to see anything that changes my basic opinionvery  few events are well defined enough to trust an automated response that could cause problems for a customer. The coolest response I've seen was from Dragon which can send false/funky responses to an attacker when it sees a scan going on.

It will be a long time before I think IDSs will be trustworth enough to use such technology frequently.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

(all opinions are my own and in no way reflect the views of my employer)

toby

> -----Original Message-----
Received on Mon Jan 27 14:54:19 2003