Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IDS 4210 Shun Table is full problem

Unanswered Question
May 7th, 2003
User Badges:

Recently my shun table has exceeded the maximim block entries (250) and I'm starting to get the following error.

"Error: Shun table is full. Shun of host xxx.xxx.xxx.xxx failed.

I have the IDS block set for 4320 minutes.

Should I decrease the about of time for blocking ?

Can I increase the block entries ?

Can another IDS system block more entries ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
astuckey Thu, 05/08/2003 - 12:11
User Badges:

All of the above and none of the above.

What device is the sensor controlling to install these blocks?

If it's a router or switch, you don't want to issue any more blocks (ACLs can stress the switch), so you should decrease the time or the signature list or do something to lower your total number of outstanding blocks.

If the device you're controlling is a PIX, then you can consider installing more blocks. Depending on what management software you're using, raising this limit is possible.

No matter what, you should keep an eye on the rate of blocks issued and reasons for that. It's possible that something like signature 4701 (SQL worm) would be better dealt with by simply removing firewall conduits for the ports affected or ignoring continued exploit attempts once you're sure you're patched against them than by continuing to block exploit attempts. Or do something like analyze the source addresses and try to coalesce a larger netblock (class A or B) and install a block for that network by hand.

Pushing the limits should cause you to think about whether there's a better way.


This Discussion