Actually it should send a reset packet not a fin. The IDS send resets in several different methods. I am not sure which Cisco uses but it should be one or a combination of these
1. IDS spoofs the source of the attack (attacker) and sends a reset to the vicim host. This would tear down the connection on the victim requiring the attacker to re-establish another connection
2., IDS sppofs victim sending a rest to the attacker. Does the same basic thing as 1
I personally like method 1 since it is probably quicker and less likely to give the attacker information about the IDS. The big differnce between resets and shunning is that with shunning the attacker should have no access past your screening router, with resets only that particular session is killed meaning the attacker can still establish other connections.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...