Threat Detection Shun Duration Command

Answered Question
Jan 14th, 2009
User Badges:

I'm trying to set the shun duration for threat detection on a PIX 525 running v8.0(3). According to the documentation if a host is considered an attacker it will shun the IP for 3600 seconds by default. What I'm seeing is that shun is never being taken off after they are shunned. I'd like to adjust the shun duration myself and the PIX is not recognizing the command:


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1065813


####################

Step 2 (Optional) To set the duration of the shun for attacking hosts, enter the following command:


hostname(config)# threat-detection scanning-threat shun duration seconds

##############################


pix(config)# threat-detection scanning-threat shun ?


configure mode commands/options:

except Keyword to exclude specified hosts from being shunned

<cr>


Has anyone seen this?


Hutch






Correct Answer by marcabal about 8 years 4 months ago

Ahh, I understand now. Since you posted on the IDS Forum I was confused and thought it was about the IDS's Block/Shun feature.


I don't deal much with the ASA/Pix firewall features. But I checked the 8.0(4) Release Notes and the "shun duration" option is a new feature in 8.0(4) which explains why it is not in 8.0(3). Is upgrading to 8.0(4) an option for you?


I am not sure why it is not removing the shuns automatically after 3600 seconds in 8.0(3). I did a quick bug check and was not able to find one.


Hopefully someone else on the list might be able to help.


If not you might try posting this question on the Firewall NetPro Forum, or even contacting the TAC.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
marcabal Thu, 01/15/2009 - 09:24
User Badges:
  • Cisco Employee,

Looks like you might be mixing things up between 2 features.


Are you talking an IPS/IDS Sensor connecting to a Pix for Blocking/Shunning, and wanting to modify the time that the Block/Shun is in place?


If so then the time of the Block/Shun is controlled solely by the IPS/IDS sensor.

The "threat-detection scanning-threat shun" feature of the Pix should have no affect on Blocks/Shuns coming from an IPS/IDS Sensor. I am not even sure what that command is used for on the Pix.


To control the time that an IPS/IDS Sensor will Block/Shun you want to modify the "global-block-timeout". The default according to the docs is actually 30 minutes, but can be modified down to 1 minute.

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_event_action_rules.html#wp1093344


mhcraig Thu, 01/15/2009 - 09:35
User Badges:

I'm talking about Basic Threat Detection which is built right into the PIX and doesn't need an outside sensor to my knowledge (perhaps an outside sensor greatly extends the feature set and throughput).


This link explains the command syntax and they clearly are talking about commands that my PIX, running 8.0(3) doesn't understand:


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1067533


Example -My current shun list:

pix# sh threat-detection shun

Shunned Host List:

src-ip=201.156.28.26 255.255.255.255

src-ip=66.159.78.147 255.255.255.255

src-ip=82.239.196.39 255.255.255.255

src-ip=202.185.85.78 255.255.255.255

src-ip=124.164.249.24 255.255.255.255


These IPs will stay here indefinitely unless I clear them using "clear threat-detection shun" but according to the docs they should only stay there for 1 hour.


Hutch

Correct Answer
marcabal Thu, 01/15/2009 - 15:32
User Badges:
  • Cisco Employee,

Ahh, I understand now. Since you posted on the IDS Forum I was confused and thought it was about the IDS's Block/Shun feature.


I don't deal much with the ASA/Pix firewall features. But I checked the 8.0(4) Release Notes and the "shun duration" option is a new feature in 8.0(4) which explains why it is not in 8.0(3). Is upgrading to 8.0(4) an option for you?


I am not sure why it is not removing the shuns automatically after 3600 seconds in 8.0(3). I did a quick bug check and was not able to find one.


Hopefully someone else on the list might be able to help.


If not you might try posting this question on the Firewall NetPro Forum, or even contacting the TAC.


mhcraig Thu, 01/15/2009 - 15:47
User Badges:

Oops - My bad. Yes I probably shouldn't have put it there.


Thanks for the answer - that must be it. Yes we have a valid SmartNet contract so we'll go ahead and update it to 8.0(4).


I appreciate the help,


Hutch

Actions

This Discussion