Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How to test blocking - new IDS install

This is a new install.

I am using a 4235 IDS (ver 4.1) and IDM to control a 3600 router. I can see on the router that I am getting lots of matches in the extended access-list permit ip any any, but NO deny matches.

I have created an extended access-list for each interface I want to control.

ip access-list extended IDS_s1/0/0.1_in_0

permit ip host "ip address of IDS sensor" any

permit ip any any

And I have applied the access-group to the interface.

ip access-group IDS_s1/0.1_in_0 in

Lastly in IDM I have:

Enabled blocking

added the networks not to be blocked

added logical devices

added blocking device using telnet

added router blocking device interfaces

ip addr of router, interface, in, Pre-Block acl "IDS_s1/0.1_in_0"

I have tried to manual block but nothing happens.

I have all so tuned the signatures reported by IEV that are HIGH severerity to EventAction=RESET.

Any and all help is greatly appreciated.

Cisco Employee

Re: How to test blocking - new IDS install

There are several problems here.

First, it sounds like you have manually created an

ACL called IDS_s1/0/0.1_in_0. If this is the

case, it is not advisable to use an ACL name format

reserved for IDS. For example, if when configuring

IDS you specify the blocking interface with the

string 's1/0/0.1', then the ACL will be removed by

IDS. Also, this is an invalid pre-block ACL, since

the last statement will allow all packets. It is

important to understand that IDS concatenates the

pre-block ACL, followed by the blocked hosts and

networks, followed by the post-block ACL. In your

particular example, you should not create a pre-block

ACL at all. Also, if you really want to create a

pre-block ACL, you should not apply it to the

access group yourself; IDS will do this for you.

Second, If you want to tune a signature to test

blocking, you should set the EventAction to ShunHost

or ShunConnection. TCP Reset is not done through

the blocking device.

New Member

Re: How to test blocking - new IDS install

I see that my recall of setting up the Netranger ver 2-3 is no longer valid.

So I should remove the extended access-lists, and the access-group on each interface. Then on the IDS delete the Pre-ACL and lastly set the signatures EventAction to Zero or ShunHost?

To help me understand the ver 4.1 IDS, Do I need to do anything to the EventAction of a signature that has a severity of High to have it automatically shunned by the router?

Thank you for your help.

Cisco Employee

Re: How to test blocking - new IDS install

Yes, that should work.

Blocking (shunning) will only occur if EventAction is set to ShunHost or ShunConnection, regardless of

the AlarmSeverity value.

Of course the signature has to be enabled as well.

New Member

Re: How to test blocking - new IDS install

Thank you for your help. I have it working now.

CreatePlease to create content