Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDSM with shun on FWSM

Hi,

   we have IDSM configured to block (shun) for some signatures with FWSM.

when sig 3002 is fired , the attacker is shun by FWSM but the issue is sig 3001 is fired and shun the victim which is internal normal user.

any suggestions,

Everyone's tags (3)
6 REPLIES
Cisco Employee

IDSM with shun on FWSM

Hello,

Can you paste the event here? When the signature is fired?

Mike

Mike
New Member

IDSM with shun on FWSM

the sig 3002 fire based on port scan from attacker (test) and then the sig 3001 fire on victim.

i need to know how can i make FWSM shun the connection only not the host , i tried to set the event action to "block conection" instead of "block host" but it didn't work.

IDSM with shun on FWSM

Hello Ibrahim,

As Maykol said can you paste the event here, we will like to see all the details, Also you are telling us you removed the action for deny attacker inline and add it deny connection inline, apply it and nothing happens? Right?

Please paste the event,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: IDSM with shun on FWSM

no it is IDS not inline , i changed the action from "block host" to "block coneection" to make "shun" on FWSM for this connection instead of shun all connections for this host.

SeverityDateTimeDeviceSig. NameSig. IDAttacker IPVictim IPActions TakenVicitm PortThreat RatingRisk RatingReputation
medium7/3/201214:03:12BB2-IDSMTCP Port Sweep3001/0YXshunRequested, blockConnectionRequested607676585
medium7/3/201214:06:54BB2-IDSMTCP Port Sweep3001/0yxshunRequested, blockConnectionRequested399926585
medium7/3/201214:07:04BB2-IDSMTCP Port Sweep3001/0yxshunRequested, blockConnectionRequested546536585
medium7/3/201214:07:19BB2-IDSMTCP Port Sweep3001/0yxshunRequested, blockConnectionRequested585546585
medium7/3/201214:08:14BB2-IDSMTCP Source Port 024199/010.20.30.25x
402198585

SeverityDateTimeDeviceSig. NameSig. IDAttacker IPVictim IPActions TakenVicitm PortThreat RatingRisk RatingReputation
low7/3/201214:03:12BB2-IDSMTCP SYN Port Sweep3002/0XYshunRequested,   blockConnectionRequested3252
low7/3/201214:06:53BB2-IDSMTCP SYN Port Sweep3002/0xYshunRequested,   blockConnectionRequested3252
low7/3/201214:07:03BB2-IDSMTCP SYN Port Sweep3002/0xyshunRequested,   blockConnectionRequested3252
low7/3/201214:07:19BB2-IDSMTCP SYN Port Sweep3002/0xYshunRequested,   blockConnectionRequested3252
high7/3/201214:07:30BB2-IDSMVxWorks Remote Debug Interface28779/0xYshunRequested, blockConnectionRequested171856080
high7/3/201214:07:47BB2-IDSMNmap UDP Port Sweep4003/0xYshunRequested,   blockConnectionRequested5575
high7/3/201214:08:34BB2-IDSMNmap UDP Port Sweep4003/0xYshunRequested,   blockConnectionRequested5575
high7/3/201214:11:10BB2-IDSMICMP Network Sweep w/Timestamp2101/0xYshunRequested,   denyPacketRequestedNotPerformed, blockConnectionRequested80100
high7/3/201214:12:12BB2-IDSMICMP Network Sweep w/Address Mask2102/0xyshunRequested,   denyPacketRequestedNotPerformed, blockConnectionRequested80100

Re: IDSM with shun on FWSM

Hello Ibrahim,

I would say it is being denied due to an event action override ( see the high Risk rating)

Is it a possibility to unassigned the signature, retired it and then put it back on one more time.

Can you let us know what are the actions assigned to this signature over the signature policy?

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

IDSM with shun on FWSM

Hello Jcarvaja,

        i need to confirm that if i configured this signature to "block connection" , the FWSM will shun connection only.

the case is the FWSM shun host so it will deny all traffic from this host.

796
Views
0
Helpful
6
Replies