Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
6
Helpful
3
Replies

Drop / Reset / Shun

Go to solution
r-lemaster
Level 1
Level 1

‎08-08-2003 07:23 PM - edited ‎03-09-2019 04:22 AM

Can anyone explain the difference between "Dropping", "TCP Reset", and "Shunning" on a PIX?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to r-lemaster

‎08-11-2003 07:31 PM

The "drop" does not refer to dropping the connection, it simply means the PIX will drop the packet that generated the alert and not send it through. "reset" means, for TCP related alerts, that the PIX will send a TCP RST to both ends of the connection, effectively killing any TCP connection that may have been established.

Shunning can be set up on an external sensor for certain signatures. When traffic is detected for an alert that is set up to be shunned, the sensor telnets/ssh's to the PIX and applies the "shun" command on the source address of the packet(s) that generated the alert. The shun command simply means the PIX will drop any packet from that address, it's not applied to an interface specifically, but to teh PIX as a whole so it doesn't matter what interface that packet comes in on, it'll be dropped.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026366 for details.

View solution in original post

3 Replies 3

Go to solution
perceive
Level 1
Level 1

‎08-09-2003 01:09 AM

AFAIK, dropping is what happens to packets that do not match an explicit rule, shunning is what happens when you set up a cisco IDS to dynamically block traffic and a TCP reset I would think would be due to a standard reset flag in the TCP header.

Cheers,

Steve

Go to solution
r-lemaster
Level 1
Level 1
In response to perceive

‎08-11-2003 05:38 PM

I'm looking for info about what specifically happens when a connection (from the intruder's point of view) when they are dropped/shunned/reset.

What is the difference specifically between "dropping" a connection and "reset-ing" that same connection?

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to r-lemaster

‎08-11-2003 07:31 PM

The "drop" does not refer to dropping the connection, it simply means the PIX will drop the packet that generated the alert and not send it through. "reset" means, for TCP related alerts, that the PIX will send a TCP RST to both ends of the connection, effectively killing any TCP connection that may have been established.

Shunning can be set up on an external sensor for certain signatures. When traffic is detected for an alert that is set up to be shunned, the sensor telnets/ssh's to the PIX and applies the "shun" command on the source address of the packet(s) that generated the alert. The shun command simply means the PIX will drop any packet from that address, it's not applied to an interface specifically, but to teh PIX as a whole so it doesn't matter what interface that packet comes in on, it'll be dropped.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026366 for details.

Customers Also Viewed These Support Documents