I've not tested that particular scenario myself, but it sounds like you've
answered your question as to how it behaves.
As to whether it is expected or not (IE, SHOULD it be constantly checking to
see if the shun is in place) then I would say view the logs and/or turn on
debugging to see if the IPS is attempting to do anything. Sho shun, etc... If
not then question answered. If so, then something might not be working
correctly. My guess is the former but let us know.
Steve Means
Security Instructor/Consultant
smeans_at_ccbootcamp.com
CCBOOTCAMP - A Cisco Learning Partner
877.654.2243 Toll Free
+1.702.968.5100 Direct Outside the USA
+1.702.446.0357 Fax
YES! We take Cisco Learning Credits
________________________________
From: nobody_at_groupstudy.com on behalf of Ajay mehra
Sent: Wed 5/27/2009 5:24 AM
To: ccielab_at_groupstudy.com
Subject: IPS related question
Hello Experts,
I have one doubt regarding "blocking hosts" in IDS environment.
When a particular host is shunned it can be seen in ASA using show shun.
Let us say If i remove this blocking host from ASA using clear shun. This
does not remove the hosts from IDS "active blocked host" list in IDS device
and now any offending traffic will not be blocked because IDS assumes that
it has already shunned the attacker.
When I tested same scenario with router , IDS was always talking to router
to make sure that access-group is configured on interface which is denying
the attacker.
is this the expected behaviour with PIX/ASA? I was initiating continuous
attack using signature 2151 Large ICMP traffic. once I do clear shun the
attacker is not blocked again.
Thanks,
Ajay
Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
Received on Wed May 27 2009 - 08:15:17 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:43 ART