Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need to reset the connection when I detect attacks.How do I perform this?

I have series 4200 host sensors and I am using the VMS.

Besides monitoring I want to apply a reset conection between source attack address and victim address. How do I configure this reset action via my VMS?

Where Can I define this exceptions and for how long this reset connection active remains inactive after applying it?

Thanks,

7 REPLIES
New Member

Re: Need to reset the connection when I detect attacks.How do I

Resets, IP Logging, and Blocking are done on a per signature basis. You will need to edit the signature and set the "EventAction" to TCP Reset. This will reset the connection, but will not block it. If you want to block, you'll need to configure Block Host/Block Connection in the same place. Block host will block the IP address from communicating to any one... whereas block connection blocks only communication between the 2 addresses on that port. You can have multiple "EventActions" for a signature. The deafult block is for 30 minutes - this can be changed by altering the "Block Time" of Blocking Properties for the sensor.

Cisco Employee

Re: Need to reset the connection when I detect attacks.How do I

Be aware that if you choose to implement blocking that you must also configure the sensor to manage a network device. With blocking the sensor will connect to the network device and either enter an ACL or execute a shun command to have the networking device actually do the blocking.

Unlike TCP Resets where the sensor itself sends out the TCP Resets.

New Member

Re: Need to reset the connection when I detect attacks.How do I

Very tru marcabal... and depending on the managed device as to the complexity of blocking.

If you will be using a PIX - the Shunning is pretty straight forward.

If you will be using a router or switch, you'll need to consider what interface to apply the acl to... which direction... If you will be applying acl's to interface S0/1, then you will need to give full control of that interface to the sensor. If you require certain denies and permits, you can create a pre-ACL-block that will be placed before the sensor command and a post-ACL-block to be placed after the sensor's commands. Suggest you visit Cisco's site and look for documentation on this issue as it "can" get quite complex when your managed devices are routers and switches. Good Luck!

New Member

Re: Need to reset the connection when I detect attacks.How do I

Last question:

Do I have to add a special configuration on my switch in order to be able to send the reset connections trough it?

In some cases I have switches with IOS and others use CATOS.

Thanks.

New Member

Re: Need to reset the connection when I detect attacks.How do I

besides, when I access IDS manager configuration, I don´t see any option related to alarm configuration where I can add reset options. The only options I get are signature filtering, blocking , reassembly, port mapping and internal network definitions, but nothing related to event action. Do you have any suggestion where I could access event action to configure my resets?

Thanks.

Cisco Employee

Re: Need to reset the connection when I detect attacks.How do I

There should be a screen for defining/tuning the signatures. The EventAction field is just one of the fields in the definition of the signature.

For version 4.1:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31460

In step 4 select "reset" for the EventAction

For version 3.1:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#71195

In step 7 select "TCP Reset" for the Action

Cisco Employee

Re: Need to reset the connection when I detect attacks.How do I

It will depend on the specific type of switch, OS, OS version, and whether you are using Span or VACL Capture for copying the packets to the sensor.

It is best to read your switch's documentation to determine what is allowed on your switch.

Some switches do NOT allow incoming packets on their Span ports, in which case TCP Resets will not work.

(NOTE: If the documentation does not mention incoming packets then quite often the switch will not support incoming packets on it's span port).

Some switches automatically allow incoming packets on their Span ports, in which case no additional configuration is needed.

Some switches have to be configured to allow incoming packets on their Span port, in which case you need to use that configuration (like using "inpkts enable" option on the cat 6k).

For example,

The Cat 6500 switch running traditional Cat OS.

If monitoring with the use of Span, then you will need to add the special option "inpkts enable" to allow incoming TCP Resets.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_2/confg_gd/span.htm#1033304 (bullet 7)

166
Views
5
Helpful
7
Replies
CreatePlease login to create content