×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Blocking Test on IDS 4210

Unanswered Question

I am wanting to test the auto-blocking features on the ids. I have successfully configured the device to do MANUAL blocking in which in adds ACL's to a cisco IOS router, and works great. I am interested in the auto-blocking, which no human intervention is required. I suppose i would 1) configure a signature to "block", and 2) initiate traffic that would set that alarm off...preferrably from the "outside" (internet). I think what i am needing is advice on what signature(s) to test, and what tool to trigger the signature(s), so that it will block. Any suggestions?

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Accomplished, Thanks!...I use CSPM instead of the Unix director, but it still made sense. The only other question i have is - besides actually looking in my "shunning\blocking" device, how (hopefully using CSPM) can i tell what is currently being blocked? I am able to look at my blocking device and tell, but would like to view it from the same interface i do everything else. Thanks in advance!


marcabal Fri, 08/16/2002 - 14:26
User Badges:
  • Cisco Employee,

Bring up the IDS Event Viewer in CSPM, and look at the different menu functions.

There should be a menu function for executing the manual blocks.

There should also be a menu function to show you the list of ips that are currently being blocked.

I can't remember specifically under which menu they are listed, and what they are called, but I have used them and know that both menu functions are there.


Simply select an alarm from that sensor and select the menu option you want. By selecting the alarm you are letting the menu function know which sensor to query. You might also try selecting the sensor itself in the Connection Status pane of the Event Viewer to let the menu function know which sensor to query.


community Fri, 08/16/2002 - 14:20
User Badges:

Just set a port scan to high and block and run that scan from an outside source. I have all port scans set to high severity and to automatically block and it works great. Don't forget to add your IP's that you don't want blocked to your sensor config I.E your internal server address'

Actions

This Discussion