From: Scott Morris (swm@emanon.com)
Date: Wed Sep 06 2006 - 18:10:16 ART
You need to set up the network device in the IDS configuration with login
credentials. That's how the changes take place.
Under Configuration - Blocking - Logical Devices -- You need to set up how
it'll log in to make these changes to which device. Under the Blocking
Devices -- You need to choose the protocol used to login.
If it's a router, you may also need to set up the Router Blocking Device
Interfaces portion (which will use those two pre-defined ACL numbers).
The device (router, pix, etc.) needs to be reachable from the C&C interface
of the IDS. You need to make sure that any login controls (ACLs, etc) on
your router/pix allow for telnet, ssh or whatever coming from the IP of the
IDS in order to make changes.
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Stefan Grey
Sent: Wednesday, September 06, 2006 4:43 PM
To: marvingreenlee@yahoo.com; ccielab@groupstudy.com
Subject: Re: IDS and shunning problem
1. Yes I see that the event in the IEV.
2. No I do not see any changed ACL on the router.
3. What do you mean under IDS connect to the router after configured this as
blocking device?? They are pingable and in the same vlan.
4. I configured the ACL of permit ip host IDS_ipaddress any on the inside
interface of the router. AFter I fired the alarm. I did show acl and now
packets in it. So it seems to me that nothing was sent from the ids.
Thanks for your help.
>From: Marvin Greenlee <marvingreenlee@yahoo.com>
>To: Stefan Grey <examplebrain@hotmail.com>, ccielab@groupstudy.com
>Subject: Re: IDS and shunning problem Date: Wed, 6 Sep 2006 13:25:56
>-0700
>(PDT)
>
>
>198 and 199 are ACLs on the router that need to be created ahead of
>time.
>
>The IDS will connect to the router, and dynamically create an
>access-list and apply to the interface.
>
>
>If the router has logging on to the console (or VTY if that is where
>you are connected), you should see the connection from the IDS when you
>add it as a blocking device. (and again when the sig fires)
>
>access-list 198 deny ip host 1.1.1.1 any access-list 199 permit ip any
>any
>
>If the IDS is going to shun 3.3.3.3, for example, it will create an
>access-list using the defined "pre" and "post" ACLs on the router that
>would look something like this:
>
>ip access-list extended IDS_blahblah
> deny ip host 1.1.1.1 any
> deny ip host 3.3.3.3 any
> permit ip any any
>
>
>Note that the "pre-acl" lines will be used first, then the shunned
>addresses, then the "post-acl" lines.
>
>If your pre-acl includes something like "permit ip any any", shuns will
>not be effective, since ACLs are processed top-down.
>
>
>So
>1. Do you see the IDS connect to the router when you configure it as a
>blocking device?
>
>2. Do you see the event fire in IEV?
>
>3. Do you see the changed ACL on the router?
>
>
>Thanks,
>Marvin Greenlee
>
>
>--- Stefan Grey <examplebrain@hotmail.com> wrote:
>
> > Hello guys. I have spent last 1,5 days unsuccesfully trying
> > configure shunning on IDS in different topologies. Could you please
> > suggest me what should I do or what I do wrong in configuring
> > shunning??
> >
> > My steps are as following
> >
> > --r1----r2
> > |
> > Pc----IDS
> >
> > The topology is just as in the link below
> >
>http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configur
>ation_example09186a00801c0e3c.shtml
> >
> > I couldn't configure shunning on either the PIX or the router.
> > The only difference which was from what is in the example and in
> > workbooks
> > was: that I accessed the IDS through 80 port and not the default
> > 443. So the IEV was also connected using 443 port and http.
> > Could it be the reason??
> >
> > In the example what do this lists 199, 198 do??
> > I have no ideas. Everything is pingable telnetable with correct
> > passwords.
> > On IDS is the signature with telnet and word "test"
> > and Shun HOst, severity
> > high configured. Also logical device R1, block on R1 (interface
> > which is going to R2). (And pre, after acls are 198, 199).
> >
> > Any ideas. Did anybody configured shunning before??
> > What tricks can be here
> > to make it working?? May it be the bug of the IDS??
> > Should I clear the
> > config on it??
> >
> > Thanks.
> >
> >
>_________________________________________________________________
> > Discover the magic of RSS feeds at MSN Ireland!
> > http://ie.msn.com/
> >
> >
>_______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART