Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
4
Replies

How to test blocking - new IDS install

pat.clements
Level 1
Level 1

‎08-08-2003 05:28 AM - edited ‎03-09-2019 04:21 AM

This is a new install.

I am using a 4235 IDS (ver 4.1) and IDM to control a 3600 router. I can see on the router that I am getting lots of matches in the extended access-list permit ip any any, but NO deny matches.

I have created an extended access-list for each interface I want to control.

ip access-list extended IDS_s1/0/0.1_in_0

permit ip host "ip address of IDS sensor" any

permit ip any any

And I have applied the access-group to the interface.

ip access-group IDS_s1/0.1_in_0 in

Lastly in IDM I have:

Enabled blocking

added the networks not to be blocked

added logical devices

added blocking device using telnet

added router blocking device interfaces

ip addr of router, interface, in, Pre-Block acl "IDS_s1/0.1_in_0"

I have tried to manual block but nothing happens.

I have all so tuned the signatures reported by IEV that are HIGH severerity to EventAction=RESET.

Any and all help is greatly appreciated.

Labels:
0 Helpful
4 Replies 4

stleary
Cisco Employee
Cisco Employee

‎08-08-2003 07:45 AM

There are several problems here.

First, it sounds like you have manually created an

ACL called IDS_s1/0/0.1_in_0. If this is the

case, it is not advisable to use an ACL name format

reserved for IDS. For example, if when configuring

IDS you specify the blocking interface with the

string 's1/0/0.1', then the ACL will be removed by

IDS. Also, this is an invalid pre-block ACL, since

the last statement will allow all packets. It is

important to understand that IDS concatenates the

pre-block ACL, followed by the blocked hosts and

networks, followed by the post-block ACL. In your

particular example, you should not create a pre-block

ACL at all. Also, if you really want to create a

pre-block ACL, you should not apply it to the

access group yourself; IDS will do this for you.

Second, If you want to tune a signature to test

blocking, you should set the EventAction to ShunHost

or ShunConnection. TCP Reset is not done through

the blocking device.

0 Helpful

pat.clements
Level 1
Level 1
In response to stleary

‎08-08-2003 08:06 AM

I see that my recall of setting up the Netranger ver 2-3 is no longer valid.

So I should remove the extended access-lists, and the access-group on each interface. Then on the IDS delete the Pre-ACL and lastly set the signatures EventAction to Zero or ShunHost?

To help me understand the ver 4.1 IDS, Do I need to do anything to the EventAction of a signature that has a severity of High to have it automatically shunned by the router?

Thank you for your help.

0 Helpful

stleary
Cisco Employee
Cisco Employee
In response to pat.clements

‎08-08-2003 10:48 AM

Yes, that should work.

Blocking (shunning) will only occur if EventAction is set to ShunHost or ShunConnection, regardless of

the AlarmSeverity value.

Of course the signature has to be enabled as well.

0 Helpful

pat.clements
Level 1
Level 1
In response to stleary

‎08-08-2003 12:34 PM

Thank you for your help. I have it working now.

0 Helpful
Customers Also Viewed These Support Documents