Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
449
Views
0
Helpful
4
Replies

Blocking Test on IDS 4210

jcooper
Level 1
Level 1

‎07-18-2002 10:17 AM - edited ‎03-08-2019 11:37 PM

I am wanting to test the auto-blocking features on the ids. I have successfully configured the device to do MANUAL blocking in which in adds ACL's to a cisco IOS router, and works great. I am interested in the auto-blocking, which no human intervention is required. I suppose i would 1) configure a signature to "block", and 2) initiate traffic that would set that alarm off...preferrably from the "outside" (internet). I think what i am needing is advice on what signature(s) to test, and what tool to trigger the signature(s), so that it will block. Any suggestions?

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

yusuff
Cisco Employee
Cisco Employee

‎07-18-2002 03:28 PM

You need to modify a signature to perform to shun as an Action.

Following URL is a sample config to do just what you are after.

http://www.cisco.com/warp/public/707/shunning_director.html

HTH

R/Yusuf

0 Helpful

jcooper
Level 1
Level 1
In response to yusuff

‎08-16-2002 01:54 PM

Accomplished, Thanks!...I use CSPM instead of the Unix director, but it still made sense. The only other question i have is - besides actually looking in my "shunning\blocking" device, how (hopefully using CSPM) can i tell what is currently being blocked? I am able to look at my blocking device and tell, but would like to view it from the same interface i do everything else. Thanks in advance!

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to jcooper

‎08-16-2002 02:26 PM

Bring up the IDS Event Viewer in CSPM, and look at the different menu functions.

There should be a menu function for executing the manual blocks.

There should also be a menu function to show you the list of ips that are currently being blocked.

I can't remember specifically under which menu they are listed, and what they are called, but I have used them and know that both menu functions are there.

Simply select an alarm from that sensor and select the menu option you want. By selecting the alarm you are letting the menu function know which sensor to query. You might also try selecting the sensor itself in the Connection Status pane of the Event Viewer to let the menu function know which sensor to query.

0 Helpful

community
Level 1
Level 1

‎08-16-2002 02:20 PM

Just set a port scan to high and block and run that scan from an outside source. I have all port scans set to high severity and to automatically block and it works great. Don't forget to add your IP's that you don't want blocked to your sensor config I.E your internal server address'

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents