cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
607
Views
0
Helpful
5
Replies

Blocking on a Router

siscisco05
Level 1
Level 1

I have enabled blocking on a router to fire when a certain sig fires. this has been working for a while, I can see the ACL on the router with the host being denied access,so I know that it has been working. The sig fired today and the host was added to the ACL on the router - so it should be blocked, right? After I verified that the host was added to the ACL on the router and through the IDM I still receive e-mails on this sig firing with the same host that was supposedly blocked when it first came in. Does the IPS still log events if though the attacker is being blocked?

5 Replies 5

vitripat
Level 7
Level 7

As long as IPS is recieving the offending traffic causing a signature to trigger, an event will be generated. However, if the router is infront of IPS and should block the offending traffic before it reaches IPS, then events should not be triggered.

Hope this helps.

Regards,

Vibhor.

If it is in front of the router, you should see events where the sig will fire. You should NOT see any more events from ARC saying it has successfully added a block to the router. If you look at idm/monitoring, you should see the block time being reset back to default every time the sig fires.

The router is in front of the IPS. what can I do to troubleshoot where the fault is?

Thanks for your help.

attmidsteam
Level 1
Level 1

How long after did they occur? It takes a small amount of time to re-write the ACL so there is a window of time where one event could fire a block-host event, but more events pass through before the ACL becomes active.

Once the host was added to the ACL I was receiving alerts 10-20 minutes after the fact.

When you setup a router for the IPS to manage and you put in all of the login, IP and ACL info. Is there anything you have to do to make the ACL active on the router to deny or allow traffic? The only thing that I can think of is to assign it to an interface on the router but that was done when setting up the blocking device through IDM right?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: