I am wanting to test the auto-blocking features on the ids. I have successfully configured the device to do MANUAL blocking in which in adds ACL's to a cisco IOS router, and works great. I am interested in the auto-blocking, which no human intervention is required. I suppose i would 1) configure a signature to "block", and 2) initiate traffic that would set that alarm off...preferrably from the "outside" (internet). I think what i am needing is advice on what signature(s) to test, and what tool to trigger the signature(s), so that it will block. Any suggestions?
Accomplished, Thanks!...I use CSPM instead of the Unix director, but it still made sense. The only other question i have is - besides actually looking in my "shunning\blocking" device, how (hopefully using CSPM) can i tell what is currently being blocked? I am able to look at my blocking device and tell, but would like to view it from the same interface i do everything else. Thanks in advance!
Bring up the IDS Event Viewer in CSPM, and look at the different menu functions.
There should be a menu function for executing the manual blocks.
There should also be a menu function to show you the list of ips that are currently being blocked.
I can't remember specifically under which menu they are listed, and what they are called, but I have used them and know that both menu functions are there.
Simply select an alarm from that sensor and select the menu option you want. By selecting the alarm you are letting the menu function know which sensor to query. You might also try selecting the sensor itself in the Connection Status pane of the Event Viewer to let the menu function know which sensor to query.
Just set a port scan to high and block and run that scan from an outside source. I have all port scans set to high severity and to automatically block and it works great. Don't forget to add your IP's that you don't want blocked to your sensor config I.E your internal server address'
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...