i have 4210 IDS sensor (S20) Cisco PIX 515 and CSPM 2.3.3i (S20). It is configured to blocking on PIX. I disabled all of the NEtBIOS attack signatures on IDS. But IDS is blocking some of the port 137 connections. When i look on PIX with "show shun" command i can see the blocked hosts about netbios also i can see the blocked host on CSPM blocked host menu. But i can not see this attack on IDS reports. There is no match about IP address and attack signature. How can i solve this problem?
Look in the /usr/nr/var/log.* log files on the sensor.In the log should be an entry to show that the ShunHost command was executed for the particular address.Look at the alarms just prior to that address to determine which alarm fired with that ipaddress and ports, and then check the sensor configuration to see if the sensor was configured to block for that signature.
What you might find is that the NetBIOS packets may be firing signatures other than the NetBIOS signatures. It may be a sweep or flood signature that is firing.Or the sensor might still be firing the NetBIOS signatures because the sensor configuration hadn't been updated (check /usr/nr/etc/packetd.conf and see if it matches what you configured in CSPM).
Something else to keep in mind is that the block/shun may look like it should only block a specific port, but in actuallity the shun/block will stop ALL traffic to and form that IP address and not just the port in the alarm.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...