08-08-2003 05:28 AM - edited 03-09-2019 04:21 AM
This is a new install.
I am using a 4235 IDS (ver 4.1) and IDM to control a 3600 router. I can see on the router that I am getting lots of matches in the extended access-list permit ip any any, but NO deny matches.
I have created an extended access-list for each interface I want to control.
ip access-list extended IDS_s1/0/0.1_in_0
permit ip host "ip address of IDS sensor" any
permit ip any any
And I have applied the access-group to the interface.
ip access-group IDS_s1/0.1_in_0 in
Lastly in IDM I have:
Enabled blocking
added the networks not to be blocked
added logical devices
added blocking device using telnet
added router blocking device interfaces
ip addr of router, interface, in, Pre-Block acl "IDS_s1/0.1_in_0"
I have tried to manual block but nothing happens.
I have all so tuned the signatures reported by IEV that are HIGH severerity to EventAction=RESET.
Any and all help is greatly appreciated.
08-08-2003 07:45 AM
There are several problems here.
First, it sounds like you have manually created an
ACL called IDS_s1/0/0.1_in_0. If this is the
case, it is not advisable to use an ACL name format
reserved for IDS. For example, if when configuring
IDS you specify the blocking interface with the
string 's1/0/0.1', then the ACL will be removed by
IDS. Also, this is an invalid pre-block ACL, since
the last statement will allow all packets. It is
important to understand that IDS concatenates the
pre-block ACL, followed by the blocked hosts and
networks, followed by the post-block ACL. In your
particular example, you should not create a pre-block
ACL at all. Also, if you really want to create a
pre-block ACL, you should not apply it to the
access group yourself; IDS will do this for you.
Second, If you want to tune a signature to test
blocking, you should set the EventAction to ShunHost
or ShunConnection. TCP Reset is not done through
the blocking device.
08-08-2003 08:06 AM
I see that my recall of setting up the Netranger ver 2-3 is no longer valid.
So I should remove the extended access-lists, and the access-group on each interface. Then on the IDS delete the Pre-ACL and lastly set the signatures EventAction to Zero or ShunHost?
To help me understand the ver 4.1 IDS, Do I need to do anything to the EventAction of a signature that has a severity of High to have it automatically shunned by the router?
Thank you for your help.
08-08-2003 10:48 AM
Yes, that should work.
Blocking (shunning) will only occur if EventAction is set to ShunHost or ShunConnection, regardless of
the AlarmSeverity value.
Of course the signature has to be enabled as well.
08-08-2003 12:34 PM
Thank you for your help. I have it working now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide