Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Exclude hosts from IDS?

Hi,

I have an ASA5520 with AIP-SSM module.  I inspect in promiscuous mode.  Security vulnerability scans create tons of alerts in the IDS system.  I'd like to exclude certain IP addresses from the IDS. I tried to modify the inspection policy in ASDM but according to packet trace the packets still go through the IDS. 

What's the easiest way to do this?

Thanks

7 REPLIES
Cisco Employee

Re: Exclude hosts from IDS?

Does the IPS  actually still generate alerts for the host, though the class-map has been modified for the specific host traffic not to be sent to the AIP?

Check the packet tracer output, as you may have misread it.

This are sample outputs

1) If the ACL sends traffic for the AIP

Phase: 3
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd82d6258, priority=50, domain=ids, deny=false

###### Notice how it says DENY=FALSE  >> so send to IPS #####

2) If the ACL does not send traffic to the AIP

Phase: 3
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd82d8528, priority=50, domain=ids, deny=true

##### Notice how it says DENY=TRUE >> so do not send to IDS #####

Another way way for accomplishing this is to create event action filter on the AIP itself.

Here is the documentation for it.

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2034816

Regards,

New Member

Re: Exclude hosts from IDS?

What packet tracer are you using? I don't see this info in ASDM:

"Additional Information:

Forward Flow based lookup yields rule:
in  id=0xd82d6258, priority=50, domain=ids, deny=false"

I am looking at the Service Policy Rules..

The first one is "outside-policy" for "outside-class". In there  I have 2 acl.

First one is "do not match" from the netblock I don't want to inspect to any, with rule action ips.

Second one is "match" any any, with rule action ips.

Does this look right?

Second one is "globla_policy" "inspection_default", and that has default-inspections with 13 inspect actions.

I hope this means that in addition to IPS, the inspect action are also run for traffic coming in?

Thanks.

Cisco Employee

Re: Exclude hosts from IDS?

Let's say you want to exclude ip address 192.168.1.2 from being  scanned. Here is a sample config.

access-list aip-acl extended deny ip host 192.168.1.2 any 
access-list aip-acl extended permit ip any any
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
  ips inline fail-open
service-policy global_policy global

I hope it is clear now.

PK

Cisco Employee

Re: Exclude hosts from IDS?

Since you are seeing deny=false in the portion of ips forwarding, then that will mean it is forward to the IPS still, and you probably still have some configuration that forwards the traffic to the ips for the network you did not want inspected.

Please either try to configure as provided by PK previously, or otherwise provide the service policies (global and interface), class-map, and related access-list you have (CLI commands I mean).

I was doing packet tracer through the CLI.

Thanks,

New Member

Re: Exclude hosts from IDS?

OK cool, check this out:

Phase: 5

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcccb4b60, priority=51, domain=ids, deny=true

        hits=0, user_data=0xd07618d8, cs_id=0x0, flags=0x0, protocol=0

        src ip=216.35.7.96, mask=255.255.255.224, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

So, that means it bypasses the sensor? Because I'm still getting lots of events with source IPs that show deny=true....
Thanks
Cisco Employee

Re: Exclude hosts from IDS?

That is right.

I am also suggesting the command "sh service-policy flow tcp host host eq 80" to see if you are hitting the policy for the IPS. You should not.

I hope it helps.

PK

Cisco Employee

Re: Exclude hosts from IDS?

Can you please provide the configuration you have for service policy, policy map, class map, and access-list for the traffic redirection t IPS.

The packet tracer tools simulation requires you to specify input interface, and maybe there is a flow that you have not simulated where the source ip may still be directed to ips device.

Regards,

1279
Views
0
Helpful
7
Replies
CreatePlease to create content