08-04-2006 10:09 PM - edited 03-10-2019 03:09 AM
I have a 2611xm with IOS/FW 12.4
After enabling IPS, I get the following when I show ip inspect sessions
Session 83E4AD08 (192.168.5.101:8)=>(192.168.240.251:0) icmp SIS_OPEN
Session 83C84EAC (192.168.5.101:8)=>(192.168.240.170:0) icmp SIS_OPEN
Session 83E4C2C8 (192.168.5.101:8)=>(192.168.240.217:0) icmp SIS_OPEN
Session 83E460E8 (192.168.5.101:8)=>(192.168.240.214:0) icmp SIS_OPEN
Session 83E41A38 (192.168.5.101:8)=>(192.168.240.186:0) icmp SIS_OPEN
Session 83E4DB40 (192.168.5.101:8)=>(192.168.241.26:0) icmp SIS_OPEN
Session 83C8E6EC (192.168.5.101:8)=>(192.168.240.155:0) icmp SIS_OPEN
Session 83C86724 (192.168.5.101:8)=>(192.168.240.153:0) icmp SIS_OPEN
Session 83E50C30 (192.168.5.101:8)=>(192.168.240.250:0) icmp SIS_OPEN
Session 83E41780 (192.168.5.101:8)=>(192.168.240.175:0) icmp SIS_OPEN
Session 83C8DC0C (192.168.5.101:8)=>(192.168.240.171:0) icmp SIS_OPEN
Session 83C8E9A4 (192.168.5.101:8)=>(192.168.240.191:0) icmp SIS_OPEN
Session 83E45608 (192.168.5.101:8)=>(192.168.240.187:0) icmp SIS_OPEN
Session 83E47138 (192.168.5.101:8)=>(192.168.241.31:0) icmp SIS_OPEN
Session 83E5FD68 (192.168.5.101:8)=>(192.168.240.164:0) icmp SIS_OPEN
Session 83C81024 (192.168.5.101:8)=>(192.168.241.79:0) icmp SIS_OPEN
Session 83E56528 (192.168.5.101:8)=>(192.168.241.69:0) icmp SIS_OPEN
Session 83E42A88 (192.168.5.101:8)=>(192.168.240.239:0) icmp SIS_OPEN
Session 83C8AB1C (192.168.5.101:8)=>(192.168.240.196:0) icmp SIS_OPEN
Session 83C84BF4 (192.168.5.101:8)=>(192.168.240.192:0) icmp SIS_OPEN
Session 83E5DF80 (192.168.5.101:8)=>(192.168.240.149:0) icmp SIS_OPEN
Session 83E5BEE0 (192.168.5.101:8)=>(192.168.240.139:0) icmp SIS_OPEN
Session 83C88254 (192.168.5.101:8)=>(192.168.240.181:0) icmp SIS_OPEN
Session 83C8DEC4 (192.168.254.161:138)=>(192.168.5.11:138) udp SIS_OPEN
Session 83C8B08C (192.168.5.101:8)=>(192.168.240.213:0) icmp SIS_OPEN
Session 83E4A798 (192.168.5.101:8)=>(192.168.240.209:0) icmp SIS_OPEN
My question is this: Why is it being allowed, and logged, but not prevented?
This machine obviously has a worm on it - but I'd like to at least be able to have the IPS block it till we can get to the machine.
08-05-2006 01:22 PM
Hi .. check the signatures that relate to icmp floods they might be configured to alert and log only by default ..
I hope it helps .. please rate if it does !!!
08-07-2006 03:13 AM
What do I check for specifically? I read on Cisco.com that you cant configure with the CLI:
Quote:
Action Configuration via CLI No Longer Supported
Cisco IOS IPS actions (such as resetting the TCP connection) can no longer be configured via CLI. If you are using the attack-drop.sdf signature file, the signatures are preset with actions to mitigate the attack by dropping the packet and resetting the connection, if applicable. If you are using VMS or SDM to deploy signatures to the router, you will need to tune the signatures to use the desired actions before the deployment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide