Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Shunning a host on PIX 520 but alerts still arriving at IDS

Last week I was seeing allot of traffic coming from a particular host that was triggering IDS alerts. After investigating the source I added a SHUN statement to the pix. When I do a 'sho shun stat' the cnt for that host is fairly high (352) and is climbing. I'm still getting alerts from the IDS on this particular host (IP Fragment and Host sweeps). I assumed that if I was shunning an IP I wouldn't get alerts from the IDS on it. Can anyone explain what I am doing wrong? Thanks in advance.

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Shunning a host on PIX 520 but alerts still arriving at IDS

Seems obvious, but can't hurt to ask - where is the sniffing interface of your sensor located? Obviously, if your sniffing interface is located outside of the pix, then the undesired traffic will still reach the pix - it just won't get through it.

Also, are you shunning that host for those alarms? Does a "show shun" show that host being blocked DURING the time that you are seeing alerts for that particular host?

Jeff

2 REPLIES
New Member

Re: Shunning a host on PIX 520 but alerts still arriving at IDS

Seems obvious, but can't hurt to ask - where is the sniffing interface of your sensor located? Obviously, if your sniffing interface is located outside of the pix, then the undesired traffic will still reach the pix - it just won't get through it.

Also, are you shunning that host for those alarms? Does a "show shun" show that host being blocked DURING the time that you are seeing alerts for that particular host?

Jeff

New Member

Re: Shunning a host on PIX 520 but alerts still arriving at IDS

Thanks for the input. You are correct in assuming the IDS is on the Outside of the firewall. So that explains why I see the alerts yet the IP is being shunned. Thanks again.

88
Views
0
Helpful
2
Replies
This widget could not be displayed.