We install CSPM 2.3.3i/IDS-4210 successfully. I have IDS do shun from Cisco router ACL. It is working fine too.
We have difficulties to decide on attack signature actions: TCP rest and Block. I understand it is not a good idea to set all signatures will do shun. But, how could we know which signature should do shun or TCP Reset?
Does anyone have any good strategy, practice, or white paper?
basically, understand that you cannot tcp reset all signatures, because not all signatures are tcp based signatures. Also, it typically does not help to tcp reset a tcp port scan because of the nature of port scans. Tcp resets are good for connection oritented alarms or string match alarms that you would create. i.e. telnet or ftp based string matches or even smtp.
Shunning would be better suited for your port scans, icmp attacks, and whatever else would be a "reconnaissance" type of probe or scan where someone is looking for something to attack on your network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...