02-11-2003 10:06 PM - edited 02-20-2020 10:33 PM
How do i configure the PIX for IP blocking when my IDS detect an anomalous activity?
My IDS version is 3.0(1)S4
I have a CSPM version 2.3.3i
Solved! Go to Solution.
02-13-2003 05:05 PM
You don't really configure the PIX, you just need to configure the sensor (via CSPM) to do blocking. When the sensor detects a signature that is set up for blocking, it will telnet/SSH to the PIX and add a "shun" command that will drop all packets from the signature source.
http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch03.htm#57747
Noe that for a PIX, there is no interface to apply this to, the shun get's applied to all incoming packets on all interfaces.
You then need to modify the particular signature so that one of it's Actions is to block.
http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch05.htm#xtocid263714
BTW, I would seriously consider upgrading your signatures, you are about 25 signatures releases and 4 service packs behind now.
02-13-2003 05:05 PM
You don't really configure the PIX, you just need to configure the sensor (via CSPM) to do blocking. When the sensor detects a signature that is set up for blocking, it will telnet/SSH to the PIX and add a "shun" command that will drop all packets from the signature source.
http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch03.htm#57747
Noe that for a PIX, there is no interface to apply this to, the shun get's applied to all incoming packets on all interfaces.
You then need to modify the particular signature so that one of it's Actions is to block.
http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch05.htm#xtocid263714
BTW, I would seriously consider upgrading your signatures, you are about 25 signatures releases and 4 service packs behind now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: