gfullage Wed, 01/09/2008 - 21:05
User Badges:
  • Cisco Employee,

It works differently depending on whether you're in IDS or IPS mode.

IDS Mode

When the trigger packet is seen and the alert fires, 100 TCP RST's are sent from the sensors MONITORING port to both the client and server. These 100 RST's have incrementing SEQ/ACK numbers to give us a better chance of actually getting within the current window and effectively resetting the connection on both ends. (It's important to realise that it is not 100% guaranteed to actually RST the connection due to this sliding window). The RST's are obviously sent out with the actual client and server addresses in them to make it look like it came from the other end. Because they're sent out the monitor port, if this is set up using a "span" session on the switch then it's important to make sure you allow inbound packets on that port (by default span ports drop inbound packets).

IPS Mode

Because the sensor is now inline, as soon as the signature fires we send one RST to both ends of the connection and then stop transmitting any further packets on that connection.

iqbalkhan Thu, 01/10/2008 - 01:51
User Badges:


My device is IPS but it works in IDS mode.

and its connected to blocking device firewall.My IDM behind in FW and from IDM I can access only or ping inside interface .

in this sistuation I can reset with pix FW ?.




This Discussion