Alert (2)

From Computing and Software Wiki

Revision as of 02:29, 24 March 2008 by Khalats (Talk)
Jump to: navigation, search

What happens after a NIDS detects an attack?

Reconfigure firewall

       Configure the firewall to filter out the IP address of the intruder. However, this still allows the intruder to attack from other addresses. Checkpoint firewall's support a "Suspicious Activity Monitoring Protocol (SAMP)" for configuring firewalls. Checkpoint has their "OPSEC" standard for re-configuring firewalls to block the offending IP address. 

chime

       Beep or play a .WAV file. For example, you might hear a recording "You are under attack". 

SNMP Trap

       Send an SNMP Trap datagram to a management console like HP OpenView, Tivoli, Cabletron Spectrum, etc. 

NT Event

       Send an event to the WinNT event log. 

syslog

       Send an event to the UNIX syslog event system. 

send e-mail

       Send e-mail to an administrator to notify of the attack.

page

       Page (using normal pagers) the system administrator. 

Log the attack

       Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information). 

Save evidence

       Save a tracefile of the raw packets for later analysis. 

Launch program

       Launch a separate program to handle the event. 

Terminate the TCP session

       Forge a TCP FIN packet to force a connection to terminate.
Personal tools