Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do I get auto-shunning working on the Pix

I have IDS 4215 and PIX 515 with failover running 6.3 image. I believe I have the IDS configured for shunning via an ssh connection to the PIX (show ssh session show connection). Latest signatures (203) are installed on the IDS – IDS see a threat (3157.6 for example) – But the PIX does not AUTO-shun the IP address of the attacker. I can manually add the IP to shun to the PIX and ‘block’ that way, but What a PAIN!

How do I get auto-shunning working on the Pix

Dana Blanchard

6 REPLIES
Silver

Re: How do I get auto-shunning working on the Pix

The shun command, when issued from an appropriately configured Cisco Secure IDS unit (PIX Firewall shunning is supported in Cisco Secure IDS 3.0), provides dynamic packet filtering in response to a Cisco Secure IDS signature by preventing new connections from an attacking host and disallowing packets from the attacking host on any existing connection(s). When possible, the connection that caused the event is terminated.

New Member

Re: How do I get auto-shunning working on the Pix

New Member

Re: How do I get auto-shunning working on the Pix

I found my answer - finally - gotta love the documentaion - for those that run into the same problem and can't find the answer.

I found that each individual signature that you want to be "active" need to be a) enabled and b) have the "EventAction" edited to change to "ShunHost" or "ShunConnecion". Save the "tuned" signaure, then click the update IDS icon to save tuned signatures to the IDS.

New Member

Re: How do I get auto-shunning working on the Pix

In addition to this post, I have short question.

Enabling all of the "High" risk signatures one by one will take some time. Are there any way to globally set shun for all "High" risk signatures, or is that not recommended?

New Member

Re: How do I get auto-shunning working on the Pix

You may want to make sure you have determined which of the high risk signatures create false positives in your network first.

Then you can easily change the action on multiple signatures if you are running IPS 5.X with the IDM interface. If you are still runing IDS 4.X, then you can do this via the command line in bulk, or one at a time throught the gui.

New Member

Re: How do I get auto-shunning working on the Pix

If you are running IPS 5.x you could use "Event Action Overrides" to specify that a "request-block-connection" is added to all events with a risk-rating greater then xx. Have a look at: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7a.html#wp1030731

342
Views
0
Helpful
6
Replies