Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS Signature action: shun and tcp reset

We install CSPM 2.3.3i/IDS-4210 successfully. I have IDS do shun from Cisco router ACL. It is working fine too.

We have difficulties to decide on attack signature actions: TCP rest and Block. I understand it is not a good idea to set all signatures will do shun. But, how could we know which signature should do shun or TCP Reset?

Does anyone have any good strategy, practice, or white paper?

Thank you in advance

New Member

Re: IDS Signature action: shun and tcp reset

basically, understand that you cannot tcp reset all signatures, because not all signatures are tcp based signatures. Also, it typically does not help to tcp reset a tcp port scan because of the nature of port scans. Tcp resets are good for connection oritented alarms or string match alarms that you would create. i.e. telnet or ftp based string matches or even smtp.

Shunning would be better suited for your port scans, icmp attacks, and whatever else would be a "reconnaissance" type of probe or scan where someone is looking for something to attack on your network.

hope this helps.