IDS RESPONSES AGAINSTATTACK
The preconfigured settings determines the response of IDS whenever there is any intrusion or attack. Based on the severity, the response can range from mere alert notification to blocking of the attacks.
The key issue for safety and efficacy are based on the appropriate reactions on the threats. Generally there are three types of responses, they are:
Active response:
Even though IDS by itself cannot block attacks but it can take actions which can lead to stopping of attacks. Such actions include sending TCP reset packets to the machine(s) which is being the target of attack, reconfiguring router/firewall in order to block the malicious connection. In extreme cases, to avoid potential damage to the firm IDS can even block all the network traffic.
Passive response:
IDS administrator gets the information from passive solutions about the current situation and leave the decision to take appropriate steps to his discretion.This kind of reactions are adopted by many commercial systems. Simple alarm messages and notifications are the examples for this kind of actions. Email, cellular phone or via SNMP messages can be used to send notifications.
Mixed response:
As per the needs of situation, both active as well as passive responses are combined appropriately by
…show more content…
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, with alerts being sent to syslog, a separate “alert” file or even Windows computer