Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
218
Views
0
Helpful
1
Replies

IDS: Blocking Lasts Longer than Setting

tscislaw_2
Level 1
Level 1

‎03-06-2003 06:53 AM - edited ‎03-09-2019 02:23 AM

IDS 4210 v3.1

PIX 515 v6.2(2)

Blocking (shunning) is configured via IDM and set at default of 15 minutes.

Been working fine so far.

Just checked my PIX and saw that a shun was entered and has lasted over 16 hours.

Whassup with that?

Tony

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎03-10-2003 05:36 PM

If the sensor continuously sees the same alert coming from the same host, and that alert is set up to be blocked, then it'll keep adding the shun command to the PIX constantly, that could be why you're seeing it in there for so long.

Check your IDS logs, do they show a number of alerts from this shunned host, and do you see that number of alerts incrementing steadily?

You can also check the /usr/nr/var/log.$DATETIME and search for "shun" entries, this'll tell you how often the sensor has shunned that host on the PIX. If you see regular shun entries then that'd explain it. If you see only one then that shun entry has probably gotten stuck, perhaps the sensor lost connectivity with the PIX 15 hours and 45 minutes ago and the entry has been left there.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents