Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
3
Replies

Cisco 4260 IPS mode but no Blocking

pbrjones1
Level 1
Level 1

‎06-12-2009 09:59 AM - edited ‎03-10-2019 04:39 AM

Hi

We are running Cisco 4260 with 6.1(2)E3.

I would like to confirm that one can use Event Action Filter, to remove "Deny" actions, from every signature?

Currently we have edited each individual signature, manually removing the "Deny" action. However,I believe that with this process we will have to check after each signature update and remove any new "Deny" actions.

Thanks for your time,

Patrick

Labels:
0 Helpful
3 Replies 3

marcabal
Cisco Employee
Cisco Employee

‎06-12-2009 11:41 AM

The Normalizer signatures are the only ones that are a little weird in this aspect. Some of the Normalizer signatures are protection for the sensor itself. So even if the Deny action were to be removed, the sensor may still drop the packet in order to protect its own database. Generally these deal with packets overflowing the sensor's own buffers for things like total number of fragments, number of fragments in a single datagram, number of sequences in a TCP stream that are out of order.

For signatures that are NOT in the Normalizer, yes the Event Action Filter works fine for the removal of Deny actions.

Understand, however, that Cisco does not in general send out new Enabled/Unretired signatures with default Deny Actions.

Some signature DO ship with default Deny actions, BUT these signatures are often Disabled by default, or even when Enabled the subsystem to which they belong is Disabled by default.

These signatures are generally policy type signatures.

There are 2 main policy engines AIC HTTP, and AIC FTP (AIC stands for Application Inspection and Containment)

You will see several signatures with the Default Deny action in these engines, and the signatures may even be Enabled.

BUT even if they are Enabled by default, the underlying policy engine itself is Disabled by default, and you woudl have to specifically go in and Enable the policy engine.

If you have not enabled the Policy engines, then these signatures can be ignored.

With that said, I am not quite sure I am understanding what you are trying to do.

If you create a filter to always remove Deny actions regardless of IP, then your Inline sensor will offer no protection.

Without the Inline deny actions you are just better off running in Promiscuous mode.

If it is just a few specific addresses you don't want Deny actions for, then that on the other hand would be an acceptable and good use of the filter for prevent Deny actions for specific IP addresses.

0 Helpful

pbrjones1
Level 1
Level 1
In response to marcabal

‎06-12-2009 12:02 PM

Hi,

Thanks for your response.

The system owner wants the inline setup but feels more comfortable starting off with just alerts.

Please advise if there is a better method of accomplishing this.

Thanks,

Patrick

0 Helpful

JACQUES DU PLESSIS
Level 1
Level 1
In response to marcabal

‎07-13-2009 06:26 AM

Hi, I posted on a bit earlier regarding the same thing. It is pretty much a case that we do not want to just enable everything and block legitimate traffic. The idea would be to monitor it for a while and if everything looks good we just enable the deny action.

As far as I can gather the best way is to create an event filter to remove deny entries?

Jacques

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card