Alert (2)

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
 
(One intermediate revision not shown)
Line 1: Line 1:
-
What happens after a NIDS detects an attack?
+
'''Alert'''
-
    Reconfigure firewall
+
After a NIDS detects an attack. An Alert is given. Alerts can be generated on real-time or run-time basis.
-
        Configure the firewall to filter out the IP address of the intruder. However, this still allows the intruder to attack from other addresses. Checkpoint firewall's support a "Suspicious Activity Monitoring Protocol (SAMP)" for configuring firewalls. Checkpoint has their "OPSEC" standard for re-configuring firewalls to block the offending IP address.  
+
 
-
    chime
+
'''Reconfigure firewall'''
-
        Beep or play a .WAV file. For example, you might hear a recording "You are under attack".  
+
Configure the firewall to filter out the IP address of the intruder. However, this still allows the intruder to attack from other addresses. Checkpoint firewall's support a "Suspicious Activity Monitoring Protocol (SAMP)" for configuring firewalls. Checkpoint has their "OPSEC" standard for re-configuring firewalls to block the offending IP address.  
-
    SNMP Trap
+
 
-
        Send an SNMP Trap datagram to a management console like HP OpenView, Tivoli, Cabletron Spectrum, etc.  
+
'''chime'''
-
    NT Event
+
Beep or play a .WAV file. For example, you might hear a recording "You are under attack".  
-
        Send an event to the WinNT event log.  
+
 
-
    syslog
+
'''SNMP Trap'''
-
        Send an event to the UNIX syslog event system.  
+
Send an SNMP Trap datagram to a management console like HP OpenView, Tivoli, Cabletron Spectrum, etc.  
-
    send e-mail
+
 
-
        Send e-mail to an administrator to notify of the attack.  
+
'''NT Event'''
-
    page
+
Send an event to the WinNT event log.  
-
        Page (using normal pagers) the system administrator.  
+
 
-
    Log the attack
+
'''syslog'''
-
        Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information).  
+
Send an event to the UNIX syslog event system.  
-
    Save evidence
+
 
-
        Save a tracefile of the raw packets for later analysis.  
+
'''send e-mail'''
-
    Launch program
+
Send e-mail to an administrator to notify of the attack.
-
        Launch a separate program to handle the event.  
+
 
-
    Terminate the TCP session
+
'''page'''
-
        Forge a TCP FIN packet to force a connection to terminate.
+
Page (using normal pagers) the system administrator.  
 +
 
 +
'''Log the attack'''
 +
Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information).  
 +
 
 +
'''Save evidence'''
 +
Save a tracefile of the raw packets for later analysis.  
 +
 
 +
'''Launch program'''
 +
Launch a separate program to handle the event.  
 +
 
 +
'''Terminate the TCP session'''
 +
Forge a TCP FIN packet to force a connection to terminate.

Current revision as of 02:32, 24 March 2008

Alert

After a NIDS detects an attack. An Alert is given. Alerts can be generated on real-time or run-time basis.

Reconfigure firewall Configure the firewall to filter out the IP address of the intruder. However, this still allows the intruder to attack from other addresses. Checkpoint firewall's support a "Suspicious Activity Monitoring Protocol (SAMP)" for configuring firewalls. Checkpoint has their "OPSEC" standard for re-configuring firewalls to block the offending IP address.

chime Beep or play a .WAV file. For example, you might hear a recording "You are under attack".

SNMP Trap Send an SNMP Trap datagram to a management console like HP OpenView, Tivoli, Cabletron Spectrum, etc.

NT Event Send an event to the WinNT event log.

syslog Send an event to the UNIX syslog event system.

send e-mail Send e-mail to an administrator to notify of the attack.

page Page (using normal pagers) the system administrator.

Log the attack Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information).

Save evidence Save a tracefile of the raw packets for later analysis.

Launch program Launch a separate program to handle the event.

Terminate the TCP session Forge a TCP FIN packet to force a connection to terminate.

Personal tools