Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Shun question/suggestion re: Kazaa

Is it currently possible to shun the Destination IP of an alarm?

For example, if one of my users tries to open a Kazaa session with a remote site, alarm 11005 fires. In this case the user is the source and the kazaa server is the destination. Currently I send a reset, but actually I'd like to temorarily shun the destination of the Kazaa GET request to be limit the functionality of Kazaa as much as possible. I don't want to Shun the source, since I only want to block the user's kazaa activity, not all internet activity. So is there any way to modify the shun functionality to shun the DESTINATION of the attack instead of the source for this alarm?

If I can't change the shun methodology, is it possible to modify the signature to reverse the source & destination ip in the signatures so that the shun will take the effect I want?

As a side thought, it'd be exceptionally cool if an IDS sensing outside a pix could do a port/ip lookup in the pix (via it's inside control interface) to give the true client IP address of clients being NATed through the pix.

Thanks!

2 REPLIES
Cisco Employee

Re: Shun question/suggestion re: Kazaa

you could turn FlipAddr on that would filp the source and dest ip sent to managed/nac

New Member

Re: Shun question/suggestion re: Kazaa

But the shun command has still been the same...

This only modified the event message.

98
Views
0
Helpful
2
Replies
CreatePlease to create content