RE: IPS related question

CSCsq22506 Bug Details
NAC error when shun list not empty on firewall at startup/reconnect

Symptom:
You may see the following error upon sensor connection with a firewall
blocking device

[PIX] IP [10.76.254.242] state [Active]Text from device: nno shun
(outside)
^ ERROR: % Invalid input detected at '^' marker.

Conditions:
IPS using an ASA/FWSM as a blocking device.

Workaround:
Manually clear all shuns from the firewall.

Further Problem Description:
This error is thrown because the sensor could not parse the show shun output
and thus sends invalid "no shun" commands to clear all unmanaged shuns from
the
firewall during sensor connect/reconnect/startup.

We may need to upgrade our sensors to 6.1.2

Regards,
 
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: tscott_at_ipexpert.com
 
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
 
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand
and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
Lab Certifications.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Stuart Hare
Sent: Thursday, May 28, 2009 4:49 PM
To: Ajay mehra
Cc: Steve Means; security_at_groupstudy.com; ccielab_at_groupstudy.com
Subject: Re: IPS related question

When I was doing the shunning the weekend I had an issue with it also.
But my issue was more with the IPS removing the shun from the ASA.

It was like the IPS was using the wrong the syntax to remove the shun.

evError: eventId=1238424945926627983 vendor=Cisco severity=error
  originator:
    hostId: IPS
    appName: nac
    appInstanceId: 24447
  time: May 24, 2009 10:23:41 UTC offset=0 timeZone=UTC
  errorMessage: ERROR: Syntax error from invalid input at device [PIX] IP
[10.2.2.10] state [Active]Text from device:
no shun (outside)
no shun (outside)
             ^
ERROR: % Invalid Hostname
asa# name=errSystemError

Not sure if anyone has come across this?

I did notice the same thing as you though if you remove the shun manually
from the ASA, there doesnt seem to any communications with the IPS to inform
it this has happened unlike the IOS blocking, which seems to update
accordingly.
Stu

On Wed, May 27, 2009 at 5:02 PM, Ajay mehra <ajaymehra01_at_gmail.com> wrote:

> Hi Steve,
>
> ASA does not show up any logs in this case. But as soon as I clear active
> blocked host in IPS by deleting particular blocked host entry, ASA does
> show
> up logs and as well as "show shun".
>
>
> Thanks,
> Ajay
>
> 2009/5/27 Steve Means <smeans_at_ccbootcamp.com>
>
> > I've not tested that particular scenario myself, but it sounds like
> you've
> > answered your question as to how it behaves.
> >
> > As to whether it is expected or not (IE, SHOULD it be constantly
checking
> > to see if the shun is in place) then I would say view the logs and/or
> turn
> > on debugging to see if the IPS is attempting to do anything. Sho shun,
> > etc... If not then question answered. If so, then something might not be
> > working correctly. My guess is the former but let us know.
> >
> > Steve Means
> > Security Instructor/Consultant
> > smeans_at_ccbootcamp.com
> > CCBOOTCAMP - A Cisco Learning Partner
> > 877.654.2243 Toll Free
> > +1.702.968.5100 Direct Outside the USA
> > +1.702.446.0357 Fax
> > YES! We take Cisco Learning Credits
> >
> > ________________________________
> >
> > From: nobody_at_groupstudy.com on behalf of Ajay mehra
> > Sent: Wed 5/27/2009 5:24 AM
> > To: ccielab_at_groupstudy.com
> > Subject: IPS related question
> >
> >
> >
> > Hello Experts,
> >
> > I have one doubt regarding "blocking hosts" in IDS environment.
> >
> > When a particular host is shunned it can be seen in ASA using show
shun.
> > Let us say If i remove this blocking host from ASA using clear shun.
This
> > does not remove the hosts from IDS "active blocked host" list in IDS
> device
> > and now any offending traffic will not be blocked because IDS assumes
> that
> > it has already shunned the attacker.
> >
> > When I tested same scenario with router , IDS was always talking to
> router
> > to make sure that access-group is configured on interface which is
> denying
> > the attacker.
> >
> > is this the expected behaviour with PIX/ASA? I was initiating continuous
> > attack using signature 2151 Large ICMP traffic. once I do clear shun the
> > attacker is not blocked again.
> >
> >
> > Thanks,
> > Ajay
> >
> >
> > Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>

-- 
Stuart Hare
stuart.hare_at_gmail.com
Blogs and organic groups at http://www.ccie.net