Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS Shunning on PIX 6.3.3

Hi all,

I have some problems to do shunning via PIX.

I`m running IDS 4235 with 4.1(3)S62 and a PIX with PixOS 6.3.3.

Both the sniffing and the management Interface of the IDS are on the inside network of PIX. PIX does no NAT (NAT 0) for all traffic

I configured IDS to use telnet to PIX. I can see IDS os logging into PIX but did not shun on traffic.

The signatures are triggered, cause I see the alarm on IEV.

If I do the same with IOS router , the shunning works fine. Also manual blocking to the PIX is working, only if You configure automatic shunning when a signature is triggered, IDS is just sending some space characters to PIX (verified via capture on PIX ).

Maybe somebody have seen this issue before ?

Regards

Michael

2 REPLIES
Cisco Employee

Re: IDS Shunning on PIX 6.3.3

Things you can do to help debug.

Verify on the sensor (through IDM or the CLI) that the shun action was correctly set on the signatures.

When the signatures fire, there is a field in the alert itself that will be set to True if a shun was attempted for that alert. If the field is set to False or does not exist then the sensor didn't even attempt to shun for that alert.

Once you've verified the alert as the field for shun set to true, then look at the time on the field. No go to the sensor CLI and execute "show event nac

You will want to verify that the information in the fields match the information in your alarm.

Now check the Pix to see if any shuns were executed. You can use the "show shun" command on the Pix to see the list of currently shunned addresses.

SIDE NOTE: When you do the "show shun" and the list contains automated shuns, you will see not just the source ip address listed, but also the destination ip, source port, and destination port. Some users have been confused thinking that this meant it was a Connection Shun and not a source address host Shun. Even though the connection information is listed, it is Still a source address host shun. The additional connection information is just to let the Pix know to clear it's connection table for that connection As well as shun the source address.

Another thing to do is look for any errors that nac may be generating.

You can execute "show event error

Use a time and date of when your sensor was last rebooted and see if any of the errors are for NAC.

Also execute "show statistics nac" and verify that shun enable has been set to true, and that the automatic shuns are showing up in the shun list.

A last thing to try is to login to the sensor using the account with the "service" privalege. This will get you access to the underlying Linux OS. From the "service" account you will switch to user root. As user root run the "ifconfig -a" command to determine which interface is your command and control interface. Now you can use the tcpdump command to monitor packets on your command and control interface between the sensor and the Pix.

Look for any errors the Pix may be generating, and verify if the sensor is sending the shun commands to the Pix.

For more information on running tcpdump you can refer to:

http://www.tcpdump.org/tcpdump_man.html

New Member

Re: IDS Shunning on PIX 6.3.3

Hi,

thanks for your great help,

I solved the issue by rebooting the IDS :(

After reboot also shunning on PIX worked fine

Regards

Michael

92
Views
0
Helpful
2
Replies
CreatePlease login to create content