cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2390
Views
0
Helpful
4
Replies

Threat Detection Shun Duration Command

mhcraig
Level 1
Level 1

I'm trying to set the shun duration for threat detection on a PIX 525 running v8.0(3). According to the documentation if a host is considered an attacker it will shun the IP for 3600 seconds by default. What I'm seeing is that shun is never being taken off after they are shunned. I'd like to adjust the shun duration myself and the PIX is not recognizing the command:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1065813

####################

Step 2 (Optional) To set the duration of the shun for attacking hosts, enter the following command:

hostname(config)# threat-detection scanning-threat shun duration seconds

##############################

pix(config)# threat-detection scanning-threat shun ?

configure mode commands/options:

except Keyword to exclude specified hosts from being shunned

<cr>

Has anyone seen this?

Hutch

1 Accepted Solution

Accepted Solutions

Ahh, I understand now. Since you posted on the IDS Forum I was confused and thought it was about the IDS's Block/Shun feature.

I don't deal much with the ASA/Pix firewall features. But I checked the 8.0(4) Release Notes and the "shun duration" option is a new feature in 8.0(4) which explains why it is not in 8.0(3). Is upgrading to 8.0(4) an option for you?

I am not sure why it is not removing the shuns automatically after 3600 seconds in 8.0(3). I did a quick bug check and was not able to find one.

Hopefully someone else on the list might be able to help.

If not you might try posting this question on the Firewall NetPro Forum, or even contacting the TAC.

View solution in original post

4 Replies 4

marcabal
Cisco Employee
Cisco Employee

Looks like you might be mixing things up between 2 features.

Are you talking an IPS/IDS Sensor connecting to a Pix for Blocking/Shunning, and wanting to modify the time that the Block/Shun is in place?

If so then the time of the Block/Shun is controlled solely by the IPS/IDS sensor.

The "threat-detection scanning-threat shun" feature of the Pix should have no affect on Blocks/Shuns coming from an IPS/IDS Sensor. I am not even sure what that command is used for on the Pix.

To control the time that an IPS/IDS Sensor will Block/Shun you want to modify the "global-block-timeout". The default according to the docs is actually 30 minutes, but can be modified down to 1 minute.

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_event_action_rules.html#wp1093344

I'm talking about Basic Threat Detection which is built right into the PIX and doesn't need an outside sensor to my knowledge (perhaps an outside sensor greatly extends the feature set and throughput).

This link explains the command syntax and they clearly are talking about commands that my PIX, running 8.0(3) doesn't understand:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1067533

Example -My current shun list:

pix# sh threat-detection shun

Shunned Host List:

src-ip=201.156.28.26 255.255.255.255

src-ip=66.159.78.147 255.255.255.255

src-ip=82.239.196.39 255.255.255.255

src-ip=202.185.85.78 255.255.255.255

src-ip=124.164.249.24 255.255.255.255

These IPs will stay here indefinitely unless I clear them using "clear threat-detection shun" but according to the docs they should only stay there for 1 hour.

Hutch

Ahh, I understand now. Since you posted on the IDS Forum I was confused and thought it was about the IDS's Block/Shun feature.

I don't deal much with the ASA/Pix firewall features. But I checked the 8.0(4) Release Notes and the "shun duration" option is a new feature in 8.0(4) which explains why it is not in 8.0(3). Is upgrading to 8.0(4) an option for you?

I am not sure why it is not removing the shuns automatically after 3600 seconds in 8.0(3). I did a quick bug check and was not able to find one.

Hopefully someone else on the list might be able to help.

If not you might try posting this question on the Firewall NetPro Forum, or even contacting the TAC.

Oops - My bad. Yes I probably shouldn't have put it there.

Thanks for the answer - that must be it. Yes we have a valid SmartNet contract so we'll go ahead and update it to 8.0(4).

I appreciate the help,

Hutch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: