Alert (2)
From Computing and Software Wiki
(Difference between revisions)
Line 1: | Line 1: | ||
What happens after a NIDS detects an attack? | What happens after a NIDS detects an attack? | ||
- | + | '''Reconfigure firewall''' | |
Configure the firewall to filter out the IP address of the intruder. However, this still allows the intruder to attack from other addresses. Checkpoint firewall's support a "Suspicious Activity Monitoring Protocol (SAMP)" for configuring firewalls. Checkpoint has their "OPSEC" standard for re-configuring firewalls to block the offending IP address. | Configure the firewall to filter out the IP address of the intruder. However, this still allows the intruder to attack from other addresses. Checkpoint firewall's support a "Suspicious Activity Monitoring Protocol (SAMP)" for configuring firewalls. Checkpoint has their "OPSEC" standard for re-configuring firewalls to block the offending IP address. | ||
- | + | ||
+ | '''chime''' | ||
Beep or play a .WAV file. For example, you might hear a recording "You are under attack". | Beep or play a .WAV file. For example, you might hear a recording "You are under attack". | ||
- | + | ||
+ | '''SNMP Trap''' | ||
Send an SNMP Trap datagram to a management console like HP OpenView, Tivoli, Cabletron Spectrum, etc. | Send an SNMP Trap datagram to a management console like HP OpenView, Tivoli, Cabletron Spectrum, etc. | ||
- | + | ||
+ | '''NT Event''' | ||
Send an event to the WinNT event log. | Send an event to the WinNT event log. | ||
- | + | ||
+ | '''syslog''' | ||
Send an event to the UNIX syslog event system. | Send an event to the UNIX syslog event system. | ||
- | + | ||
- | Send e-mail to an administrator to notify of the attack. | + | '''send e-mail''' |
- | + | Send e-mail to an administrator to notify of the attack. | |
+ | |||
+ | '''page''' | ||
Page (using normal pagers) the system administrator. | Page (using normal pagers) the system administrator. | ||
- | + | ||
+ | '''Log the attack''' | ||
Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information). | Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information). | ||
- | + | ||
+ | '''Save evidence''' | ||
Save a tracefile of the raw packets for later analysis. | Save a tracefile of the raw packets for later analysis. | ||
- | + | ||
+ | '''Launch program''' | ||
Launch a separate program to handle the event. | Launch a separate program to handle the event. | ||
- | + | ||
+ | '''Terminate the TCP session''' | ||
Forge a TCP FIN packet to force a connection to terminate. | Forge a TCP FIN packet to force a connection to terminate. |
Revision as of 02:29, 24 March 2008
What happens after a NIDS detects an attack?
Reconfigure firewall
Configure the firewall to filter out the IP address of the intruder. However, this still allows the intruder to attack from other addresses. Checkpoint firewall's support a "Suspicious Activity Monitoring Protocol (SAMP)" for configuring firewalls. Checkpoint has their "OPSEC" standard for re-configuring firewalls to block the offending IP address.
chime
Beep or play a .WAV file. For example, you might hear a recording "You are under attack".
SNMP Trap
Send an SNMP Trap datagram to a management console like HP OpenView, Tivoli, Cabletron Spectrum, etc.
NT Event
Send an event to the WinNT event log.
syslog
Send an event to the UNIX syslog event system.
send e-mail
Send e-mail to an administrator to notify of the attack.
page
Page (using normal pagers) the system administrator.
Log the attack
Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information).
Save evidence
Save a tracefile of the raw packets for later analysis.
Launch program
Launch a separate program to handle the event.
Terminate the TCP session
Forge a TCP FIN packet to force a connection to terminate.