Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Blocking Test on IDS 4210

I am wanting to test the auto-blocking features on the ids. I have successfully configured the device to do MANUAL blocking in which in adds ACL's to a cisco IOS router, and works great. I am interested in the auto-blocking, which no human intervention is required. I suppose i would 1) configure a signature to "block", and 2) initiate traffic that would set that alarm off...preferrably from the "outside" (internet). I think what i am needing is advice on what signature(s) to test, and what tool to trigger the signature(s), so that it will block. Any suggestions?

Thanks in advance.

Cisco Employee

Re: Blocking Test on IDS 4210

You need to modify a signature to perform to shun as an Action.

Following URL is a sample config to do just what you are after.



Community Member

Re: Blocking Test on IDS 4210

Accomplished, Thanks!...I use CSPM instead of the Unix director, but it still made sense. The only other question i have is - besides actually looking in my "shunning\blocking" device, how (hopefully using CSPM) can i tell what is currently being blocked? I am able to look at my blocking device and tell, but would like to view it from the same interface i do everything else. Thanks in advance!

Cisco Employee

Re: Blocking Test on IDS 4210

Bring up the IDS Event Viewer in CSPM, and look at the different menu functions.

There should be a menu function for executing the manual blocks.

There should also be a menu function to show you the list of ips that are currently being blocked.

I can't remember specifically under which menu they are listed, and what they are called, but I have used them and know that both menu functions are there.

Simply select an alarm from that sensor and select the menu option you want. By selecting the alarm you are letting the menu function know which sensor to query. You might also try selecting the sensor itself in the Connection Status pane of the Event Viewer to let the menu function know which sensor to query.

Community Member

Re: Blocking Test on IDS 4210

Just set a port scan to high and block and run that scan from an outside source. I have all port scans set to high severity and to automatically block and it works great. Don't forget to add your IP's that you don't want blocked to your sensor config I.E your internal server address'

CreatePlease to create content