Test bed configuration consists of Catalyst 6500 and 4255 IDS vith SW version 6.0. The traffic is captured using VLAN capture feature and send to the sensing interface Gi0/0 on IDS. The reset interface is Gi0/3, connected back to the Cat6K.
Vlan 140 with IP interface is defined on the switch. There is a host connected to that Vlan. A custom signature defines that telnet to that host is not legal and the reset action is defined IDS.
When the telnet is started to that host from anywhere in the network, the connection is reset. BUT the event counter gone mad constantly increasing.
What we suspect to happen is that the reset packet from IDS that is destined for te secured host, triggers the event again what causes new resets. It is some kind of a loop situation.
Is there any feature or technique to overcome such situation ?
IDS should recognize its own reset packets !
Thanks for any hint.