07-18-2002 10:17 AM - edited 03-08-2019 11:37 PM
I am wanting to test the auto-blocking features on the ids. I have successfully configured the device to do MANUAL blocking in which in adds ACL's to a cisco IOS router, and works great. I am interested in the auto-blocking, which no human intervention is required. I suppose i would 1) configure a signature to "block", and 2) initiate traffic that would set that alarm off...preferrably from the "outside" (internet). I think what i am needing is advice on what signature(s) to test, and what tool to trigger the signature(s), so that it will block. Any suggestions?
Thanks in advance.
07-18-2002 03:28 PM
You need to modify a signature to perform to shun as an Action.
Following URL is a sample config to do just what you are after.
http://www.cisco.com/warp/public/707/shunning_director.html
HTH
R/Yusuf
08-16-2002 01:54 PM
Accomplished, Thanks!...I use CSPM instead of the Unix director, but it still made sense. The only other question i have is - besides actually looking in my "shunning\blocking" device, how (hopefully using CSPM) can i tell what is currently being blocked? I am able to look at my blocking device and tell, but would like to view it from the same interface i do everything else. Thanks in advance!
08-16-2002 02:26 PM
Bring up the IDS Event Viewer in CSPM, and look at the different menu functions.
There should be a menu function for executing the manual blocks.
There should also be a menu function to show you the list of ips that are currently being blocked.
I can't remember specifically under which menu they are listed, and what they are called, but I have used them and know that both menu functions are there.
Simply select an alarm from that sensor and select the menu option you want. By selecting the alarm you are letting the menu function know which sensor to query. You might also try selecting the sensor itself in the Connection Status pane of the Event Viewer to let the menu function know which sensor to query.
08-16-2002 02:20 PM
Just set a port scan to high and block and run that scan from an outside source. I have all port scans set to high severity and to automatically block and it works great. Don't forget to add your IP's that you don't want blocked to your sensor config I.E your internal server address'
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: