Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to track which hosts/nets are being shunned?

How do I track or audit which hosts/nets are being shunned?

3 REPLIES
Cisco Employee

Re: How to track which hosts/nets are being shunned?

For Unix Director:

Security->Show->Shun List

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/ops.htm#xtocid817320

For CSPM:

View->Block List with the Event Viewer

Select that sensor in the Connection Status Panel or select and alarm from that sensor prior to selecting the menu option.

Cisco Employee

Re: How to track which hosts/nets are being shunned?

For the sensor CLI, use the tokens ShunHostList and ShunNetList.

Example: nrget 10003 (hostid) (orgid) 1 ShunHostList

If you are logging commands received by the sensor, you can also see

the Host and Net shuns being applied and removed in the logfiles:

Example host shun: 3,1,2000/08/30,13:17:43,2000/08/30,08:17:43,10003,168,100,20000,168,100,EXEC ShunHost 10.20.30.40 1

Example host unshun: 3,2,2000/08/30,13:18:50,2000/08/30,08:18:50,10003,168,100,10003,168,100,EXEC UnshunHost 10.20.30.40

Internally the sensor maintains a file containing the shunned (blocked) hosts and networks, in case the sensor is restarted.

New Member

Re: How to track which hosts/nets are being shunned?

It would still be nice to have actions like this generate an email message or other, stronger notification (presumably all done on the Director). That would allow easy integration into ticket tracking systems, etc.

122
Views
0
Helpful
3
Replies