Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question on Network and Host Blocking feature of IDSM

Hi there,

Is the IDSM capable of blocking host and network by itself through manual blocking. Or is it just capable of sending the blocks to its managed devices. Thanks

4 REPLIES
Silver

Re: Question on Network and Host Blocking feature of IDSM

The IDSM is capable of blocking host and network by itself through manual blocking

New Member

Re: Question on Network and Host Blocking feature of IDSM

Thanks,

This is what I did, from the IDM I configured a certain IP address to be blocked. Monitoring > Active Host Block > Add.

I specified the IP address to be blocked inline, but the continuous ping still succeeds, http and ftp still works. Is there something missing from my configuration. I enabled blocking of course...

Cisco Employee

Re: Question on Network and Host Blocking feature of IDSM

There is a confusion in terms.

Blocking refers to the sensor's ability to create ACLs or Shun lists on other devices.

It requires that you setup the sensor to connect to that other device.

Denying on the other hand refers to the sensor's ability to be deployed InLine and for the sensor itself to drop the offending packets.

The Host Blocking panel is only for the Blocking feature. The Host Blocking panel does not control what an InLine Sensor will "Deny".

At this time the sensor does not support the user manually adding IP Addresses to the sensor's Denied Attacker list.

User's may view the current list, clear counters for the list, or remove attacker ip addresses from the list. But may not manually add addresses to the list.

Addresses are added to the Denied Attacker list Only when signatures are triggered with one of the deny-attacker-.... event actions.

You can view the Denied Attacker List through IDM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide/dmmntr.htm#wp1029926

The Deny Actions do require that the sensor be deployed InLine and will not work on sensor's deployed Promiscuously.

New Member

Re: Question on Network and Host Blocking feature of IDSM

Ok thanks, so that means I cannot manually block hosts inline using the host blocking feature. Thanks for the clarification.

125
Views
4
Helpful
4
Replies
CreatePlease to create content