Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
1
Replies

What action should be taken, block/reset or both?

darin.marais
Level 4
Level 4

‎03-24-2004 10:48 AM - edited ‎03-09-2019 06:52 AM

I have a question regarding blocking or sending a reset.

Is there any hard and fast rule with regards to choosing whether to block or send a reset>?

What I mean is for instance

1. For a signature that uses an ATOMIC.TCP or ATOMIC.UDP engine, do you block or reset or both.

2. For a signature that use the STRING.TCP or STRING.UDP, do you block, reset or both

Is there a list of recommend actions one should take following the receiving of an event if you where considering more than just logging?

Labels:
0 Helpful
1 Reply 1

mcvosi
Level 1
Level 1

‎03-24-2004 12:26 PM

The action I have my IDS take generally depends on the type of attack, or possibly severity.

1. A TCP reset can only be issued for TCP, hence the name.

2. Again, it depends on the type of attack as opposed to a string value.

I would also refer to the NSDB for a description of the signatures.

0 Helpful
Customers Also Viewed These Support Documents