From: Stefan Grey (examplebrain@hotmail.com)
Date: Wed Sep 06 2006 - 17:42:58 ART
1. Yes I see that the event in the IEV.
2. No I do not see any changed ACL on the router.
3. What do you mean under IDS connect to the router after configured this as
blocking device?? They are pingable and in the same vlan.
4. I configured the ACL of permit ip host IDS_ipaddress any on the inside
interface of the router. AFter I fired the alarm. I did show acl and now
packets in it. So it seems to me that nothing was sent from the ids.
Thanks for your help.
>From: Marvin Greenlee <marvingreenlee@yahoo.com>
>To: Stefan Grey <examplebrain@hotmail.com>, ccielab@groupstudy.com
>Subject: Re: IDS and shunning problem Date: Wed, 6 Sep 2006 13:25:56 -0700
>(PDT)
>
>
>198 and 199 are ACLs on the router that need to be
>created ahead of time.
>
>The IDS will connect to the router, and dynamically
>create an access-list and apply to the interface.
>
>
>If the router has logging on to the console (or VTY if
>that is where you are connected), you should see the
>connection from the IDS when you add it as a blocking
>device. (and again when the sig fires)
>
>access-list 198 deny ip host 1.1.1.1 any
>access-list 199 permit ip any any
>
>If the IDS is going to shun 3.3.3.3, for example, it
>will create an access-list using the defined "pre" and
>"post" ACLs on the router that would look something
>like this:
>
>ip access-list extended IDS_blahblah
> deny ip host 1.1.1.1 any
> deny ip host 3.3.3.3 any
> permit ip any any
>
>
>Note that the "pre-acl" lines will be used first, then
>the shunned addresses, then the "post-acl" lines.
>
>If your pre-acl includes something like "permit ip any
>any", shuns will not be effective, since ACLs are
>processed top-down.
>
>
>So
>1. Do you see the IDS connect to the router when you
>configure it as a blocking device?
>
>2. Do you see the event fire in IEV?
>
>3. Do you see the changed ACL on the router?
>
>
>Thanks,
>Marvin Greenlee
>
>
>--- Stefan Grey <examplebrain@hotmail.com> wrote:
>
> > Hello guys. I have spent last 1,5 days unsuccesfully
> > trying configure
> > shunning on IDS in different topologies. Could you
> > please suggest me what
> > should I do or what I do wrong in configuring
> > shunning??
> >
> > My steps are as following
> >
> > --r1----r2
> > |
> > Pc----IDS
> >
> > The topology is just as in the link below
> >
>http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00801c0e3c.shtml
> >
> > I couldn't configure shunning on either the PIX or
> > the router.
> > The only difference which was from what is in the
> > example and in workbooks
> > was: that I accessed the IDS through 80 port and not
> > the default 443. So the
> > IEV was also connected using 443 port and http.
> > Could it be the reason??
> >
> > In the example what do this lists 199, 198 do??
> > I have no ideas. Everything is pingable telnetable
> > with correct passwords.
> > On IDS is the signature with telnet and word "test"
> > and Shun HOst, severity
> > high configured. Also logical device R1, block on R1
> > (interface which is
> > going to R2). (And pre, after acls are 198, 199).
> >
> > Any ideas. Did anybody configured shunning before??
> > What tricks can be here
> > to make it working?? May it be the bug of the IDS??
> > Should I clear the
> > config on it??
> >
> > Thanks.
> >
> >
>_________________________________________________________________
> > Discover the magic of RSS feeds at MSN Ireland!
> > http://ie.msn.com/
> >
> >
>_______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART