Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IDSM2 version 4.1 blocking attacks

Hello All,

We have set up a IDSM2 version 4.1 on a Cisco Catalyst 6500 switch.

We have configured it using SPAN on specific vlans and if we run a port sweep, we can see the alarms on the IDS viewer.

It is possible to stop any attack by dropping packets/ flows or blocking dynamically the source ip address of the attack ?

Thanks in advance.

Nikos

2 REPLIES
Anonymous
N/A

Re: IDSM2 version 4.1 blocking attacks

When the system detects unauthorized activity, appliances can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the IDS manager. Other legitimate connections continue to operate independently without interruption.

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a0080358053.html

Community Member

Re: IDSM2 version 4.1 blocking attacks

The IDSM-2 as the IDS sensor is allowed to initiate blocking to other devices either through IDM or CiscoWorks VMS (IDS MC), for automatic blocking you just assign block as eventAction for the desired signature and the IDSM-2 will push an VACL to the switch.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00801e8181.shtml

153
Views
0
Helpful
2
Replies
CreatePlease to create content