I am using IDS Sensor ver. 3.1

so, that means what I need to do was just configure my IDS on those specific signature that I want to block, then configure my blocking device and the blocking interface?

If I have more that 1 sensor, does that mean I need to configure every single sensor's signature?

Yes. Just configure the required sigs for the action of blocking and configure the blocking through the management platform (I didn't see what it is in your case) as per the instructions on the urls provided earlier.

If you use the VMS IDSMC, and if the sensor's configs are exactly the same, then you could use the "copy config" option to replicate the config across multiple sensors.

Thanks,

Yatin

I am using Ciscoworks IDS MC.

I had already configure my blocking device. but, it seems that the router does not create any ACL... why?? the attack are still on the network. Any access list number should I reserve for the sensor?

the router's IOS version was: IOS (tm) 3600 Software (C3640-I-M), Version 12.1(1)T, RELEASE SOFTWARE (fc1)

Does the IOS version affect the creation of Dynamic ACL on the router?

Hi,

Are you using SSH or telnet to the router for blocking? Try to do this manually from the sensor to the router, run deb ip packet on the router for just the traffic between the sensor and the router and see what you get in the deb.

access-list 101 permit ip host x.x.x.x host y.y.y.y

access-list 101 permit ip host y.y.y.y host x.x.x.x

deb ip pack det 101

thanks,

yatin

I know why the router doesn't create Dynamic ACL. the IDS MC doesn't write the configuration to my sensor. I had raise this problem in another conversation.

FYI, I am using telnet to the router for blocking.