Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can one IP take up multiple slots in the shun list?

Can one packet flag multiple signatures? If so, would one IP address be placed in the shun list multiple times if those signatures where set to shun? We are seeing instances where an IP is being placed in the shun list multiple times in the same second. The router will not accept multiples of the same command so the access-list on the router is fine. However, is the shun table on the sensor holding slots (250 max) for IP's that are already being shunned for another signature. It looks like that in our tacacs logs.

tacacs.acct.log:Mon Sep 30 00:59:06 2002 {IP of router} {sensor} tty1 {IP of sensor}stop task_id=4275809 start_time=1033372745 timezone=MST service=shell priv-lvl=15 cmd=deny ip host 61.132.120.213 any

tacacs.acct.log:Mon Sep 30 00:59:06 2002 {IP of router} {sensor} tty1 {IP of sensor}stop task_id=5431772 start_time=1033372745 timezone=MST service=shell priv-lvl=15 cmd=deny ip host 61.132.120.213 any

tacacs.acct.log:Mon Sep 30 00:59:07 2002 {IP of router} {sensor} tty1 {IP of sensor}stop task_id=4275815 start_time=1033372745 timezone=MST service=shell priv-lvl=15 cmd=deny ip host 61.132.120.213 any

tacacs.acct.log:Mon Sep 30 00:59:07 2002 {IP of router} {sensor} tty1 {IP of sensor}stop task_id=5431778 start_time=1033372745 timezone=MST service=shell priv-lvl=15 cmd=deny ip host 61.132.120.213 any

tacacs.acct.log:Mon Sep 30 00:59:09 2002 {IP of router} {sensor} tty1 {IP of sensor}stop task_id=4275821 start_time=1033372745 timezone=MST service=shell priv-lvl=15 cmd=deny ip host 61.132.120.213 any

tacacs.acct.log:Mon Sep 30 00:59:09 2002 {IP of router} {sensor} tty1 {IP of sensor}stop task_id=5431784 start_time=1033372745 timezone=MST service=shell priv-lvl=15 cmd=deny ip host 61.132.120.213 any

tacacs.acct.log:Mon Sep 30 00:59:10 2002 {IP of router} {sensor} tty1 {IP of sensor}stop task_id=4275827 start_time=1033372745 timezone=MST service=shell priv-lvl=15 cmd=deny ip host 61.132.120.213 any

tacacs.acct.log:Mon Sep 30 00:59:10 2002 {IP of router} {sensor} tty1 {IP of sensor}stop task_id=5431790 start_time=1033372745 timezone=MST service=shell priv-lvl=15 cmd=deny ip host 61.132.120.213 any

thanks,

Geoff

1 REPLY
Cisco Employee

Re: Can one IP take up multiple slots in the shun list?

IDS will not place a host IP on an ACL more than once. If another shun

is received while the first shun is still active, then an internal timer is

updated, but not the ACL. Only one of the 250 slots is used for each IP, no

matter how many shuns of that IP occur. If your sensor is controlling

more than one interface on the router, then the IP will be written to each

interface's ACL. This may appear at first glance to be a multiple write

of an IP to an ACL. Or if multiple shuns are occuring in succession,

then each time the ACL is rebuilt, the IP will be shunned, which may

also appear to be a multiple write. Unlikely here though, because of

the apparent minimal time between logs. The best way to see exactly

what the sensor is doing on the router when a shun is received, is to

snoop the connection between the sensor and the router. If you think

your sensor is applying the same IP multiple times, then please open

a TAC case; I will be glad to take a look at it.

90
Views
0
Helpful
1
Replies
CreatePlease login to create content