Hello Experts,
I have one doubt regarding "blocking hosts" in IDS environment.
When a particular host is shunned it can be seen in ASA using show shun.
Let us say If i remove this blocking host from ASA using clear shun. This
does not remove the hosts from IDS "active blocked host" list in IDS device
and now any offending traffic will not be blocked because IDS assumes that
it has already shunned the attacker.
When I tested same scenario with router , IDS was always talking to router
to make sure that access-group is configured on interface which is denying
the attacker.
is this the expected behaviour with PIX/ASA? I was initiating continuous
attack using signature 2151 Large ICMP traffic. once I do clear shun the
attacker is not blocked again.
Thanks,
Ajay
Blogs and organic groups at http://www.ccie.net
Received on Wed May 27 2009 - 17:54:48 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:43 ART