Is blocking supported with version 4.0 sensors?

dlac455 · ‎06-27-2003

I am testing VMS 2.1. Event Viewer under Security Monitor just told me that blocking was only supported in 3.0 sensors. So is there no shun support with a 4.0 sensor?

cgiulini · ‎06-27-2003

As far as I'm aware, shunning based on a signature match response is supported under version 4.0. Manually creating a shun through the SecMon is not supported for 4.0 sensors.

dlac455 · ‎06-27-2003

Thanks for the reply. Does anyone know if there is a way to do manual shunning through VMS on a 4.0 sensor?

ywadhavk · ‎06-27-2003

Hi Chad,

Currently this is not available, but most likely it will make it to the IDSMC/SecMon 1.2 release.

Thanks,

yatin

ywadhavk · ‎06-28-2003

All,

By mistake I said IDSMC/Secmon 1.2 release will have the manual shun,

It should have been IDSMC/Secmon 1.3 instead.

1.2 does not have the manual shun feature.

Yatin

marcabal · ‎06-30-2003

Until manual shun support is added to IDSMC/SecMon, the workaround would be to login to the IDM of the sensor itself and execute the manual shun.

pcomeaux · ‎06-28-2003

You may want to do your testing with VMS 2.2:

http://www.cisco.com/kobayashi/sw-center/sw-cw2000.shtml

You can download the VMS 2.2 with a 90 day eval from the location above.

This should include SecMon 1.2 which was to include this manual shun feature.

As a work around, you could always telnet or ssh into your Pix and use the shun command available there if you see an interesting event in the SecMon Event Viewer if you continue to test with VMS 2.1.

peter

astuckey · ‎07-01-2003

Besides SecMon based Manual Shun, are there any plans to allow Event Rules to issue shuns?