I have IDS 4215 and PIX 515 with failover running 6.3 image. I believe I have the IDS configured for shunning via an ssh connection to the PIX (show ssh session show connection). Latest signatures (203) are installed on the IDS IDS see a threat (3157.6 for example) But the PIX does not AUTO-shun the IP address of the attacker. I can manually add the IP to shun to the PIX and block that way, but What a PAIN!
The shun command, when issued from an appropriately configured Cisco Secure IDS unit (PIX Firewall shunning is supported in Cisco Secure IDS 3.0), provides dynamic packet filtering in response to a Cisco Secure IDS signature by preventing new connections from an attacking host and disallowing packets from the attacking host on any existing connection(s). When possible, the connection that caused the event is terminated.
I found my answer - finally - gotta love the documentaion - for those that run into the same problem and can't find the answer.
I found that each individual signature that you want to be "active" need to be a) enabled and b) have the "EventAction" edited to change to "ShunHost" or "ShunConnecion". Save the "tuned" signaure, then click the update IDS icon to save tuned signatures to the IDS.
You may want to make sure you have determined which of the high risk signatures create false positives in your network first.
Then you can easily change the action on multiple signatures if you are running IPS 5.X with the IDM interface. If you are still runing IDS 4.X, then you can do this via the command line in bulk, or one at a time throught the gui.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...