Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blacklisting and Whitelisting of IP

Hi ,

 

Using ASA-5545 IPS and using IME to manage the IPS.

What is the best way and procedure to block and IP / IP range?

Also, how can we whitelist an IP?

 

Regards,

Jhun

  • Intrusion Prevention Systems/IDS
4 REPLIES

Please use the built in Shun

Please use the built in Shun command to block IP range

Bronze

If you want to blacklist a

If you want to blacklist a large list of IP addresses (like the SpamHaus DROP list, or other known-malicious sites, for example) then create a custom IP signature in IME. 

Use the Atomic IP engine and specify the destination IP Address.  Use a variable for the list of IPs and in that variable you'll put your blocklist.

Whitelists are Event Action Overrides.  Just specify the IP and all of the sigs that you want it to be excluded from (including "all")

I have done a ton of work with blacklisting IP's in my 20+ IPS sensors.  I have written quite a few scripts to automate the update of the blacklist variables, but that uses Cisco Security Manager (CSM).  I looked at scripting this with EXPECT scripts but the CLI for the IPS sensors (plus the fact that I had 20 of them and was using CSM) made it too difficult.  If anyone else wants the scripts just let me know.  I think I've posted them before though.

 

 

New Member

Thanks for the reply.I will

Thanks for the reply.

I will try your recommendation.

BTW, i tried to block an attacker IP from the Event Monitoring of IME.

1. Stop Attacker -> Using Inline Deny . It led me to time-based actions.

2. Then I enter the information . But after a few minutes. The entry was gone.

 

Was there a time limit for the rule to be taken effect? How to make it permanent?

 

Thanks.

Silver

check the following linkhttp:

check the following link

http://www.cisco.com/c/en/us/support/docs/security/ips-4200-series-sensors/111001-shun-block-config-ex.html

914
Views
0
Helpful
4
Replies
This widget could not be displayed.