Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
1
Replies

IDS Signature action: shun and tcp reset

achang
Level 1
Level 1

‎02-06-2002 02:37 PM - edited ‎03-08-2019 09:45 PM

We install CSPM 2.3.3i/IDS-4210 successfully. I have IDS do shun from Cisco router ACL. It is working fine too.

We have difficulties to decide on attack signature actions: TCP rest and Block. I understand it is not a good idea to set all signatures will do shun. But, how could we know which signature should do shun or TCP Reset?

Does anyone have any good strategy, practice, or white paper?

Thank you in advance

Labels:
0 Helpful
1 Reply 1

jawelsh
Level 1
Level 1

‎02-20-2002 02:22 PM

basically, understand that you cannot tcp reset all signatures, because not all signatures are tcp based signatures. Also, it typically does not help to tcp reset a tcp port scan because of the nature of port scans. Tcp resets are good for connection oritented alarms or string match alarms that you would create. i.e. telnet or ftp based string matches or even smtp.

Shunning would be better suited for your port scans, icmp attacks, and whatever else would be a "reconnaissance" type of probe or scan where someone is looking for something to attack on your network.

hope this helps.

0 Helpful
Customers Also Viewed These Support Documents