IPS Blocking Shunning and Deny Inline

Answered Question
Aug 25th, 2008
User Badges:

I recently moved from promiscuous to inline and want to take advantage of denying packets inline. With promiscuous mode, I added my local networks to the never block list. Does the never block list apply to the deny packets inline options? If not is there another expect list or should I write an event filter?

Correct Answer by marcabal about 8 years 8 months ago

The Never Block List only applied to Blocks being done on other devices (routers, switches, firewalls).


To prevent Denies for the same addresses you have to use Event Action Filters. Create a filter for those same addresses as the source/attacker, for ALL sigs, subsigs, dest addresses, ports, etc... and select the Deny Attacker Inline, Deny Attacker Service Pair Inline, and Deny Attacker Victim Pair Inline event actions as the Actions To Subtract.


Subtracting these actions will ensure that the inline sensor does not do any long term blocking based on the address.


You can decide whether or not to add the Deny Packet Inline and Deny Connection Inline to this filter as well.

I recommend NOT adding them so you can deny specific packets/connections being used in an attack even when that attack originates inside your network.


Also understand that the filter will only prevent Deny Attacker ... Inline actions being done automatically through the triggering of a signature. It will NOT prevent those addresses from being Denied if somebody manually enters an address to Deny through the CLI. (CLI entered Denies were introduced in IPS 6.1) (NOTE: I don't remember if IDM/IME support adding Denies manually)




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Mon, 08/25/2008 - 09:36
User Badges:
  • Cisco Employee,

The Never Block List only applied to Blocks being done on other devices (routers, switches, firewalls).


To prevent Denies for the same addresses you have to use Event Action Filters. Create a filter for those same addresses as the source/attacker, for ALL sigs, subsigs, dest addresses, ports, etc... and select the Deny Attacker Inline, Deny Attacker Service Pair Inline, and Deny Attacker Victim Pair Inline event actions as the Actions To Subtract.


Subtracting these actions will ensure that the inline sensor does not do any long term blocking based on the address.


You can decide whether or not to add the Deny Packet Inline and Deny Connection Inline to this filter as well.

I recommend NOT adding them so you can deny specific packets/connections being used in an attack even when that attack originates inside your network.


Also understand that the filter will only prevent Deny Attacker ... Inline actions being done automatically through the triggering of a signature. It will NOT prevent those addresses from being Denied if somebody manually enters an address to Deny through the CLI. (CLI entered Denies were introduced in IPS 6.1) (NOTE: I don't remember if IDM/IME support adding Denies manually)




Actions

This Discussion