07-14-2003 10:50 PM - edited 03-09-2019 04:02 AM
If I want to block attacks that sense by the IDS thru a router, what configuration should I place in my router?
Is there any Case study on IDS?
Thanks!
07-15-2003 05:33 AM
Hi,
It depends on what version and which management platform you are using.
If you are using VMS for management;
If IDM/IEV4.0, then goto the below url
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/idmiev/swchap3.htm#593299
If IDM/IEV 3.x then the below;
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid49
Thanks,
yatin
07-15-2003 05:35 AM
By the way, on the target (blocking device) you do not have to configure anything except for allowing the IDS to telnet or ssh into that blocking device.
The dynamic ACL will be configured by the IDS onto this blocking device, which in your case is the router.
thanks,
yatin
07-15-2003 05:23 PM
I am using IDS Sensor ver. 3.1
so, that means what I need to do was just configure my IDS on those specific signature that I want to block, then configure my blocking device and the blocking interface?
If I have more that 1 sensor, does that mean I need to configure every single sensor's signature?
07-15-2003 08:49 PM
Yes. Just configure the required sigs for the action of blocking and configure the blocking through the management platform (I didn't see what it is in your case) as per the instructions on the urls provided earlier.
If you use the VMS IDSMC, and if the sensor's configs are exactly the same, then you could use the "copy config" option to replicate the config across multiple sensors.
Thanks,
Yatin
07-15-2003 11:40 PM
I am using Ciscoworks IDS MC.
I had already configure my blocking device. but, it seems that the router does not create any ACL... why?? the attack are still on the network. Any access list number should I reserve for the sensor?
07-16-2003 01:19 AM
the router's IOS version was: IOS (tm) 3600 Software (C3640-I-M), Version 12.1(1)T, RELEASE SOFTWARE (fc1)
Does the IOS version affect the creation of Dynamic ACL on the router?
07-16-2003 05:03 AM
Hi,
Are you using SSH or telnet to the router for blocking? Try to do this manually from the sensor to the router, run deb ip packet on the router for just the traffic between the sensor and the router and see what you get in the deb.
access-list 101 permit ip host x.x.x.x host y.y.y.y
access-list 101 permit ip host y.y.y.y host x.x.x.x
deb ip pack det 101
thanks,
yatin
07-16-2003 05:37 PM
I know why the router doesn't create Dynamic ACL. the IDS MC doesn't write the configuration to my sensor. I had raise this problem in another conversation.
FYI, I am using telnet to the router for blocking.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: