Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSPM 2.3.1i DEMO Features (IP Blocking)

Hello,

I'm using CSPM Demo license. Event reporting is working fine, but I can't get the IDS (4210)to block the attacker IP. I generated an ICMP flood event; the IDS reported it correctly to the CSPM but didn't try to block it. I have defined the blocking devices and modified the signature actions.

I'm wondering if the demo version does support blocking or if I should be looking somewhere else.

  • Other Security Subjects
2 REPLIES
New Member

Re: CSPM 2.3.1i DEMO Features (IP Blocking)

The demo version does support blocking, but you may be running into a bug in 2.3.1i. Please use 2.3.3i - it definitely works. You may just have a configuration issue.

Here's a path to help you resolve it:

When operating properly, the netrangr user will always be logged into the blocking device so that it can apply an ACL, and modify that ACL as necessary. Also, if you enable logging on your sensor (archiving, not ip logging), then you will also be able to monitor your sensor logs to see if a shun action was executed to be sent to the blocking device.

1) If you log into your router, does it show the netrangr user logged in?

If not, then you need to check your sensor's /usr/nr/etc/managed file to make sure that it is properly configured to telnet to your blocking device. Try logging into your sensor, then telnetting to your blocking device and logging in, and going into enable mode. If you can't do it manually from your sensor, then your sensor won't be able to either.

2) If you have enabled logging on your logging tab in CSPM, then pushed that config out to the sensor, then loggerd should be one of the daemons running on the sensor. Then, appropriate events will be logged in /usr/nr/var/log.. Included in those events will be the generation of your icmp flood alarm, as well as the command to shun the origin (assuming that managed and packetd have been appropriately modified by CSPM to block).

HTH

Jeff

New Member

Re: CSPM 2.3.1i DEMO Features (IP Blocking)

Jeff,

Thanks. Upgrading to version 2.3.3i solved it. The IDS now blocks correctly.

Brgds,

Yasser

83
Views
0
Helpful
2
Replies
This widget could not be displayed.