Paulo Fernando da Silva Carlos Becker Westphall Network and Management Laboratory Post-Graduate Program in Computer Science Federal University of Santa Catarina - Florianópolis, Brazil Paulo Fernando da Silva Carlos Becker Westphall Network and Management Laboratory Post-Graduate Program in Computer Science Federal University of Santa Catarina - Florianópolis, Brazil An Intrusion Answer Model Compatible with the Alerts IDWG Model The IDREF data model aims at extending the works of IDWG group in a way to implement sending mechanisms of answers to detected alerts. The IDREF data model aims at extending the works of IDWG group in a way to implement sending mechanisms of answers to detected alerts. For the support to the interoperability of answers, besides developing the IDREF data model, it was necessary to modify the architecture of IDSs proposed for IDWG group. The component countermeasures, action and resource have been added. For the support to the interoperability of answers, besides developing the IDREF data model, it was necessary to modify the architecture of IDSs proposed for IDWG group. The component countermeasures, action and resource have been added. - The Response class allows information with the objective to control or to inform on an attack to be sent, having three derived classes: TCP, ICMP and notify; - React class is used to Block or Finish a Resource; - The classes Block and Shutdown respectively represent the blockade and the closing of some resource; - The reply of the Config type allows the modification of the configuration of a specific resource, in order to contain an attack; - The Resource class represents a resource to which the reply will be sent. This class has five derived classes: Node, Process, Service, UserList and FileList; - In the new architecture proposal, when the operator receives a notification from the manager he has the option of sending a reply in return to the manager; - When the manager receives a reply it codifies it in accordance with IDREF model and sends it to the component of countermeasures; - The actions contain information of the Response classes, React or Config of IDREF model. An action can be, for example, the blockade or closing of some resource; - The resources are specified in the reply for the Resource class of IDREF model. A resource can be, for example, a user account or a router; - To create an environment of intrusion detection with support to the sending of responses three components have been developed: IDSMan, IDSAna and IDSRes; - The IDSMan component is a manager of alerts that is able to receive IDMEF messages and to send IDREF messages; - IDSAna is a component that makes the connection between the analyzer of a IDS and the IDSMan manager; - IDSRes is a countermeasures component that is able to receive IDREF messages and to apply actions to resources; This architecture allows the reception of alerts from several different IDSs, using the IDMEF alert model and also allows the transmission of answers to received alerts, using the IDREF model of answers. This architecture allows the reception of alerts from several different IDSs, using the IDMEF alert model and also allows the transmission of answers to received alerts, using the IDREF model of answers. With that the proposed architecture allows interoperability as of alerts and as of reply between IDSs. With that the proposed architecture allows interoperability as of alerts and as of reply between IDSs.