Blocking on a Router

Unanswered Question
Jun 26th, 2007
User Badges:

I have enabled blocking on a router to fire when a certain sig fires. this has been working for a while, I can see the ACL on the router with the host being denied access,so I know that it has been working. The sig fired today and the host was added to the ACL on the router - so it should be blocked, right? After I verified that the host was added to the ACL on the router and through the IDM I still receive e-mails on this sig firing with the same host that was supposedly blocked when it first came in. Does the IPS still log events if though the attacker is being blocked?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vitripat Tue, 06/26/2007 - 12:06
User Badges:
  • Gold, 750 points or more

As long as IPS is recieving the offending traffic causing a signature to trigger, an event will be generated. However, if the router is infront of IPS and should block the offending traffic before it reaches IPS, then events should not be triggered.

Hope this helps.



jlively Tue, 06/26/2007 - 12:30
User Badges:
  • Cisco Employee,

If it is in front of the router, you should see events where the sig will fire. You should NOT see any more events from ARC saying it has successfully added a block to the router. If you look at idm/monitoring, you should see the block time being reset back to default every time the sig fires.

siscisco05 Tue, 06/26/2007 - 13:44
User Badges:

The router is in front of the IPS. what can I do to troubleshoot where the fault is?

Thanks for your help.

attmidsteam Tue, 06/26/2007 - 12:11
User Badges:
  • Silver, 250 points or more

How long after did they occur? It takes a small amount of time to re-write the ACL so there is a window of time where one event could fire a block-host event, but more events pass through before the ACL becomes active.

siscisco05 Wed, 06/27/2007 - 09:01
User Badges:

Once the host was added to the ACL I was receiving alerts 10-20 minutes after the fact.

When you setup a router for the IPS to manage and you put in all of the login, IP and ACL info. Is there anything you have to do to make the ACL active on the router to deny or allow traffic? The only thing that I can think of is to assign it to an interface on the router but that was done when setting up the blocking device through IDM right?


This Discussion