Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Global Correlation Reputation Filtering questions

The IPS 7.x docs state that with Reputation Filtering enabled "the sensor denies access to malicious hosts that are listed in the Global Correlation database." So I assume that means that even if no signatures are matched/triggered, the mere fact that the destination IP address is in the GC will drop the packet.

If so, does this happen silently, or is an event/alert created? If its silent, is the "ReputationFilterRuleMatch" stat from the "show stat analysis" command on the sensor the right place to look?

1 REPLY
Cisco Employee

Re: Global Correlation Reputation Filtering questions

For malicious hosts listed in Global correlation database the right place to look will be "show statistics analysis-engine" and observe counters for TcpDeniesDueToGlobalCorrelation. If sensor is not in inline mode then the counters will SimulatedTcpDeniesDueToGlobalCorrelation. No events are generated for these denies.

Please note that these counters are cumulative and not reset until sensor is restarted.

210
Views
0
Helpful
1
Replies
CreatePlease login to create content