Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS Blocking Shunning and Deny Inline

I recently moved from promiscuous to inline and want to take advantage of denying packets inline. With promiscuous mode, I added my local networks to the never block list. Does the never block list apply to the deny packets inline options? If not is there another expect list or should I write an event filter?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPS Blocking Shunning and Deny Inline

The Never Block List only applied to Blocks being done on other devices (routers, switches, firewalls).

To prevent Denies for the same addresses you have to use Event Action Filters. Create a filter for those same addresses as the source/attacker, for ALL sigs, subsigs, dest addresses, ports, etc... and select the Deny Attacker Inline, Deny Attacker Service Pair Inline, and Deny Attacker Victim Pair Inline event actions as the Actions To Subtract.

Subtracting these actions will ensure that the inline sensor does not do any long term blocking based on the address.

You can decide whether or not to add the Deny Packet Inline and Deny Connection Inline to this filter as well.

I recommend NOT adding them so you can deny specific packets/connections being used in an attack even when that attack originates inside your network.

Also understand that the filter will only prevent Deny Attacker ... Inline actions being done automatically through the triggering of a signature. It will NOT prevent those addresses from being Denied if somebody manually enters an address to Deny through the CLI. (CLI entered Denies were introduced in IPS 6.1) (NOTE: I don't remember if IDM/IME support adding Denies manually)

1 REPLY
Cisco Employee

Re: IPS Blocking Shunning and Deny Inline

The Never Block List only applied to Blocks being done on other devices (routers, switches, firewalls).

To prevent Denies for the same addresses you have to use Event Action Filters. Create a filter for those same addresses as the source/attacker, for ALL sigs, subsigs, dest addresses, ports, etc... and select the Deny Attacker Inline, Deny Attacker Service Pair Inline, and Deny Attacker Victim Pair Inline event actions as the Actions To Subtract.

Subtracting these actions will ensure that the inline sensor does not do any long term blocking based on the address.

You can decide whether or not to add the Deny Packet Inline and Deny Connection Inline to this filter as well.

I recommend NOT adding them so you can deny specific packets/connections being used in an attack even when that attack originates inside your network.

Also understand that the filter will only prevent Deny Attacker ... Inline actions being done automatically through the triggering of a signature. It will NOT prevent those addresses from being Denied if somebody manually enters an address to Deny through the CLI. (CLI entered Denies were introduced in IPS 6.1) (NOTE: I don't remember if IDM/IME support adding Denies manually)

255
Views
0
Helpful
1
Replies