Global Correlation Reputation Filtering questions

Unanswered Question
Aug 7th, 2009
User Badges:
  • Bronze, 100 points or more

The IPS 7.x docs state that with Reputation Filtering enabled "the sensor denies access to malicious hosts that are listed in the Global Correlation database." So I assume that means that even if no signatures are matched/triggered, the mere fact that the destination IP address is in the GC will drop the packet.


If so, does this happen silently, or is an event/alert created? If its silent, is the "ReputationFilterRuleMatch" stat from the "show stat analysis" command on the sensor the right place to look?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mkodali Fri, 08/07/2009 - 13:46
User Badges:
  • Cisco Employee,

For malicious hosts listed in Global correlation database the right place to look will be "show statistics analysis-engine" and observe counters for TcpDeniesDueToGlobalCorrelation. If sensor is not in inline mode then the counters will SimulatedTcpDeniesDueToGlobalCorrelation. No events are generated for these denies.

Please note that these counters are cumulative and not reset until sensor is restarted.

Actions

This Discussion