Cisco 4260 IPS mode but no Blocking

Unanswered Question
Jun 12th, 2009

Hi

We are running Cisco 4260 with 6.1(2)E3.

I would like to confirm that one can use Event Action Filter, to remove "Deny" actions, from every signature?

Currently we have edited each individual signature, manually removing the "Deny" action. However,I believe that with this process we will have to check after each signature update and remove any new "Deny" actions.

Thanks for your time,

Patrick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Fri, 06/12/2009 - 11:41

The Normalizer signatures are the only ones that are a little weird in this aspect. Some of the Normalizer signatures are protection for the sensor itself. So even if the Deny action were to be removed, the sensor may still drop the packet in order to protect its own database. Generally these deal with packets overflowing the sensor's own buffers for things like total number of fragments, number of fragments in a single datagram, number of sequences in a TCP stream that are out of order.

For signatures that are NOT in the Normalizer, yes the Event Action Filter works fine for the removal of Deny actions.

Understand, however, that Cisco does not in general send out new Enabled/Unretired signatures with default Deny Actions.

Some signature DO ship with default Deny actions, BUT these signatures are often Disabled by default, or even when Enabled the subsystem to which they belong is Disabled by default.

These signatures are generally policy type signatures.

There are 2 main policy engines AIC HTTP, and AIC FTP (AIC stands for Application Inspection and Containment)

You will see several signatures with the Default Deny action in these engines, and the signatures may even be Enabled.

BUT even if they are Enabled by default, the underlying policy engine itself is Disabled by default, and you woudl have to specifically go in and Enable the policy engine.

If you have not enabled the Policy engines, then these signatures can be ignored.

With that said, I am not quite sure I am understanding what you are trying to do.

If you create a filter to always remove Deny actions regardless of IP, then your Inline sensor will offer no protection.

Without the Inline deny actions you are just better off running in Promiscuous mode.

If it is just a few specific addresses you don't want Deny actions for, then that on the other hand would be an acceptable and good use of the filter for prevent Deny actions for specific IP addresses.

pbrjones1 Fri, 06/12/2009 - 12:02

Hi,

Thanks for your response.

The system owner wants the inline setup but feels more comfortable starting off with just alerts.

Please advise if there is a better method of accomplishing this.

Thanks,

Patrick

JACQUES DU PLESSIS Mon, 07/13/2009 - 06:26

Hi, I posted on a bit earlier regarding the same thing. It is pretty much a case that we do not want to just enable everything and block legitimate traffic. The idea would be to monitor it for a while and if everything looks good we just enable the deny action.

As far as I can gather the best way is to create an event filter to remove deny entries?

Jacques

Actions

This Discussion