Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
1
Replies

IPS Blocking Shunning and Deny Inline

Go to solution
rmeans
Level 3
Level 3

‎08-25-2008 08:31 AM - edited ‎03-10-2019 04:15 AM

I recently moved from promiscuous to inline and want to take advantage of denying packets inline. With promiscuous mode, I added my local networks to the never block list. Does the never block list apply to the deny packets inline options? If not is there another expect list or should I write an event filter?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎08-25-2008 09:36 AM

The Never Block List only applied to Blocks being done on other devices (routers, switches, firewalls).

To prevent Denies for the same addresses you have to use Event Action Filters. Create a filter for those same addresses as the source/attacker, for ALL sigs, subsigs, dest addresses, ports, etc... and select the Deny Attacker Inline, Deny Attacker Service Pair Inline, and Deny Attacker Victim Pair Inline event actions as the Actions To Subtract.

Subtracting these actions will ensure that the inline sensor does not do any long term blocking based on the address.

You can decide whether or not to add the Deny Packet Inline and Deny Connection Inline to this filter as well.

I recommend NOT adding them so you can deny specific packets/connections being used in an attack even when that attack originates inside your network.

Also understand that the filter will only prevent Deny Attacker ... Inline actions being done automatically through the triggering of a signature. It will NOT prevent those addresses from being Denied if somebody manually enters an address to Deny through the CLI. (CLI entered Denies were introduced in IPS 6.1) (NOTE: I don't remember if IDM/IME support adding Denies manually)

View solution in original post

0 Helpful
1 Reply 1

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎08-25-2008 09:36 AM

The Never Block List only applied to Blocks being done on other devices (routers, switches, firewalls).

To prevent Denies for the same addresses you have to use Event Action Filters. Create a filter for those same addresses as the source/attacker, for ALL sigs, subsigs, dest addresses, ports, etc... and select the Deny Attacker Inline, Deny Attacker Service Pair Inline, and Deny Attacker Victim Pair Inline event actions as the Actions To Subtract.

Subtracting these actions will ensure that the inline sensor does not do any long term blocking based on the address.

You can decide whether or not to add the Deny Packet Inline and Deny Connection Inline to this filter as well.

I recommend NOT adding them so you can deny specific packets/connections being used in an attack even when that attack originates inside your network.

Also understand that the filter will only prevent Deny Attacker ... Inline actions being done automatically through the triggering of a signature. It will NOT prevent those addresses from being Denied if somebody manually enters an address to Deny through the CLI. (CLI entered Denies were introduced in IPS 6.1) (NOTE: I don't remember if IDM/IME support adding Denies manually)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card