Re: IDS and shunning problem

From: Marvin Greenlee (marvingreenlee@yahoo.com)
Date: Wed Sep 06 2006 - 17:25:56 ART

• Next message: Stefan Grey: "Re: IDS and shunning problem"
• Previous message: Hash Aminu: "Re: IT HAS BEEN DONE!!!"
• Maybe in reply to: Stefan Grey: "IDS and shunning problem"
• Next in thread: Stefan Grey: "Re: IDS and shunning problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

198 and 199 are ACLs on the router that need to be
created ahead of time.

The IDS will connect to the router, and dynamically
create an access-list and apply to the interface.

If the router has logging on to the console (or VTY if
that is where you are connected), you should see the
connection from the IDS when you add it as a blocking
device. (and again when the sig fires)

access-list 198 deny ip host 1.1.1.1 any
access-list 199 permit ip any any

If the IDS is going to shun 3.3.3.3, for example, it
will create an access-list using the defined "pre" and
"post" ACLs on the router that would look something
like this:

ip access-list extended IDS_blahblah
 deny ip host 1.1.1.1 any
 deny ip host 3.3.3.3 any
 permit ip any any

Note that the "pre-acl" lines will be used first, then
the shunned addresses, then the "post-acl" lines.

If your pre-acl includes something like "permit ip any
any", shuns will not be effective, since ACLs are
processed top-down.

So
1. Do you see the IDS connect to the router when you
configure it as a blocking device?

2. Do you see the event fire in IEV?

3. Do you see the changed ACL on the router?

Thanks,
Marvin Greenlee

--- Stefan Grey <examplebrain@hotmail.com> wrote:

> Hello guys. I have spent last 1,5 days unsuccesfully
> trying configure
> shunning on IDS in different topologies. Could you
> please suggest me what
> should I do or what I do wrong in configuring
> shunning??
>
> My steps are as following
>
> --r1----r2
> |
> Pc----IDS
>
> The topology is just as in the link below
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00801c0e3c.shtml
>
> I couldn't configure shunning on either the PIX or
> the router.
> The only difference which was from what is in the
> example and in workbooks
> was: that I accessed the IDS through 80 port and not
> the default 443. So the
> IEV was also connected using 443 port and http.
> Could it be the reason??
>
> In the example what do this lists 199, 198 do??
> I have no ideas. Everything is pingable telnetable
> with correct passwords.
> On IDS is the signature with telnet and word "test"
> and Shun HOst, severity
> high configured. Also logical device R1, block on R1
> (interface which is
> going to R2). (And pre, after acls are 198, 199).
>
> Any ideas. Did anybody configured shunning before??
> What tricks can be here
> to make it working?? May it be the bug of the IDS??
> Should I clear the
> config on it??
>
> Thanks.
>
>

• Next message: Stefan Grey: "Re: IDS and shunning problem"
• Previous message: Hash Aminu: "Re: IT HAS BEEN DONE!!!"
• Maybe in reply to: Stefan Grey: "IDS and shunning problem"
• Next in thread: Stefan Grey: "Re: IDS and shunning problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART