Re: IPS related question from Ajay mehra on 2009-05-27 (Ccielab archives 05/2009)

From: Ajay mehra <ajaymehra01_at_gmail.com>
Date: Wed, 27 May 2009 21:32:49 +0530

Hi Steve,

ASA does not show up any logs in this case. But as soon as I clear active
blocked host in IPS by deleting particular blocked host entry, ASA does show
up logs and as well as "show shun".

Thanks,
Ajay

2009/5/27 Steve Means <smeans_at_ccbootcamp.com>

> I've not tested that particular scenario myself, but it sounds like you've
> answered your question as to how it behaves.
>
> As to whether it is expected or not (IE, SHOULD it be constantly checking
> to see if the shun is in place) then I would say view the logs and/or turn
> on debugging to see if the IPS is attempting to do anything. Sho shun,
> etc... If not then question answered. If so, then something might not be
> working correctly. My guess is the former but let us know.
>
> Steve Means
> Security Instructor/Consultant
> smeans_at_ccbootcamp.com
> CCBOOTCAMP - A Cisco Learning Partner
> 877.654.2243 Toll Free
> +1.702.968.5100 Direct Outside the USA
> +1.702.446.0357 Fax
> YES! We take Cisco Learning Credits
>
> ________________________________
>
> From: nobody_at_groupstudy.com on behalf of Ajay mehra
> Sent: Wed 5/27/2009 5:24 AM
> To: ccielab_at_groupstudy.com
> Subject: IPS related question
>
>
>
> Hello Experts,
>
> I have one doubt regarding "blocking hosts" in IDS environment.
>
> When a particular host is shunned it can be seen in ASA using show shun.
> Let us say If i remove this blocking host from ASA using clear shun. This
> does not remove the hosts from IDS "active blocked host" list in IDS device
> and now any offending traffic will not be blocked because IDS assumes that
> it has already shunned the attacker.
>
> When I tested same scenario with router , IDS was always talking to router
> to make sure that access-group is configured on interface which is denying
> the attacker.
>
> is this the expected behaviour with PIX/ASA? I was initiating continuous
> attack using signature 2151 Large ICMP traffic. once I do clear shun the
> attacker is not blocked again.
>
>
> Thanks,
> Ajay
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed May 27 2009 - 21:32:49 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:43 ART