Intrusion response

[howardMP]

Hello All,
We have recently installed an IDS from LanGuard which centralizes security event logs, and amongst other things will alert you when certain categories of event occur.
I would like some tips on is what to actually do when these alerts are triggered. For example if multiple invalid logon attempts during the night trigger an alert, what can I do to stop the intruder in their tracks.
Has anbody come accross any software which would in someway disable the workstation which the events are coming from, or perhaps kill its IP address.
Currently running NT.4 domain. Soon migrating to W2K
Many thanks for any advice
Howard

 

[peterve]

I've done some tests with Snort in the past... it has the possibility to send out fake RST packets to close connections...

Not sure if this is a great help, because you are running LanGuard... so I guess you'll have to look at the LanGuard specs and see what it can do...
--------------------------------------------------------------------

http://kickme.to/dpsecurity

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------

 

[pansophic]

You must be VERY careful in allowing any system to automatically disable access to your network. It is trivial to spoof the IP address of the originating computer and quickly deny service to your legitimate users.

However, automatically killing NetBus and BO connection requests won't really hurt anything. Killing Nimda requests is fine, but be careful about automatically locking out the offending IP.

I don't know about LanGuard off hand, but I would suspect that it has this functionality built right in. Check for something like Trojan Denial.

pansophic

 

[peterve]

exactly... suppose someone does portscans, and spoofs his IP address to be your DNS server(s)... BAM ! there goes your internet connection ! --------------------------------------------------------------------

http://kickme.to/dpsecurity

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------

 

[howardMP]

Thanks for your response folks, but what about a tool to manually terminate the session coming from the offending workstation once you have been alerted to a possible security breach ?
Howard

 

[peterve]

that tool is called a firewall... ;-) --------------------------------------------------------------------

http://kickme.to/dpsecurity

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------

 

[howardMP]

Peter,
It's internal workstations with multiple invalid logon attempts that I'm concerned about.
Howard

 

[SgtB]

If these are internal clients, then track the workstation down, and find out what's going on. The logon attempts are invaild you say? Then they're not getting access right? Good. You'd be better off finding the workstation, and finding out what is causing the bad logons.
Thats what IDS's are for. To tell you when something nasty is happening. Then its your job to fix it. If problems are occuring externally, then I'd look ways to close the connection. If they're internal....then that's my territory, and I'd find whats causing the problem and kill it myself. ________________________________________
Check out

http://www.security-forums.com