08-08-2003 07:23 PM - edited 03-09-2019 04:22 AM
Can anyone explain the difference between "Dropping", "TCP Reset", and "Shunning" on a PIX?
Thanks!
Solved! Go to Solution.
08-11-2003 07:31 PM
The "drop" does not refer to dropping the connection, it simply means the PIX will drop the packet that generated the alert and not send it through. "reset" means, for TCP related alerts, that the PIX will send a TCP RST to both ends of the connection, effectively killing any TCP connection that may have been established.
Shunning can be set up on an external sensor for certain signatures. When traffic is detected for an alert that is set up to be shunned, the sensor telnets/ssh's to the PIX and applies the "shun" command on the source address of the packet(s) that generated the alert. The shun command simply means the PIX will drop any packet from that address, it's not applied to an interface specifically, but to teh PIX as a whole so it doesn't matter what interface that packet comes in on, it'll be dropped.
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026366 for details.
08-09-2003 01:09 AM
AFAIK, dropping is what happens to packets that do not match an explicit rule, shunning is what happens when you set up a cisco IDS to dynamically block traffic and a TCP reset I would think would be due to a standard reset flag in the TCP header.
Cheers,
Steve
08-11-2003 05:38 PM
I'm looking for info about what specifically happens when a connection (from the intruder's point of view) when they are dropped/shunned/reset.
What is the difference specifically between "dropping" a connection and "reset-ing" that same connection?
08-11-2003 07:31 PM
The "drop" does not refer to dropping the connection, it simply means the PIX will drop the packet that generated the alert and not send it through. "reset" means, for TCP related alerts, that the PIX will send a TCP RST to both ends of the connection, effectively killing any TCP connection that may have been established.
Shunning can be set up on an external sensor for certain signatures. When traffic is detected for an alert that is set up to be shunned, the sensor telnets/ssh's to the PIX and applies the "shun" command on the source address of the packet(s) that generated the alert. The shun command simply means the PIX will drop any packet from that address, it's not applied to an interface specifically, but to teh PIX as a whole so it doesn't matter what interface that packet comes in on, it'll be dropped.
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026366 for details.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide