What Should You Do with Your Incidents?
After successfully deploying an Intrusion Detection System as part of your overall security architecture, there will come a time when you actually get alerted to intrusion attempts. Or even worse, successful intrusions. Remember that an IDS will not prevent intrusion attempts or a successful intrusion, but, properly configured and maintained, it may give you notice of how and when.
It is natural to be angry about being called in the middle of the night and having to leave your comfy bed to attend your corporate Web server that was just cracked by a script-kidiot on the other side of the world. Rather than fly 9,000 miles to throttle someone in-person, you should take the time to develop an internal policy on how to react to alerts, intrusion attempts, and actual intrusions.
There are several ways to react to attacks and intrusion attempts. They may range from reactive, such as adding a new firewall rule to filter the attack source, to more proactive, such as alerting the ISP responsible for the source of attack.
When alerting the ISP, try not to come across as hostile. It is quite likely that the machine originating the attack itself has been compromised, and the owners may not even be aware that they have been victimized.
There are Web sites, such as http://www.incidents.org/ and http://www.securityfocus.com/, which are dedicated to or have extensive sections on how to handle an intrusion attempt. SecurityFocus.com also hosts several mailing lists dedicated to incident handling.
Another option is to participate in the free Attack Registry & Intelligence Service (ARIS) from SecurityFocus.com.
What is ARIS?
According to its Web site, "ARIS analyzer is a service designed, administered and maintained by SecurityFocus.com to allow participating network administrators to submit suspicious network traffic and intrusion attempts anonymously, for detailed analysis and tracking. Our aim is to help our participants track incidents and find patterns in attacks that will serve as a threat gauging system for the Internet community."
ARIS Analyzer is actually two separate tool sets. The first tool, ARIS extractor, is an IDS logfile-parsing utility that scans your logfiles for suspicious events, and uploads them to your account at the ARIS homepage (http://aris.securityfocus.com/). The second set of tools is accessed through a secure connection to the ARIS homepage, known as the ARIS Incident Console. The ARIS Incident Console enables you to "track your incidents, create personal incident reports, and generate attacker notification messages."