Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Shunning Question. I'm puzzled!

When an attacking host is shunned, is the host shunned based on the source and destination port? Or by the IP address. In other words if the host uses a different source port will that packet get through the shunning device? Based on the logs I have from the IDS (see below) it appears that the next packet got through and thus a second shun was executed. (If the shun is based on the IP address the second packet would to have been detected by the IDS - IDS is inside the shunning device)

EXEC ShunHost x.143.0.210 120 y.170.240.51 3576 80 TCP

EXEC ShunHost x.143.0.210 120 y.170.240.51 3578 80 TCP

Now here is what is interesting: When I send an ICMP packet to the shunned source, the replies back from the host are shunned. This seems to indicate that the shun is based on the IP address.

Is there a conflict here?

Thanks in advance,

Chris

2 REPLIES
Cisco Employee

Re: Shunning Question. I'm puzzled!

The shuns are based upon the ip address. Managed controls what ip's are shunned. The message you saw in the log was from packetd. It still detects the alarms. However, the second alarm would have extended the time of the shun (reset the start time to that of the second alarm).

Cisco Employee

Re: Shunning Question. I'm puzzled!

Shunning is based on the IP address only. The destination ip, source port, destination port and protocol is ignored in current versions of IDS and

IDSM. However, in a future version you will have the option of conditional

shunning, based on all of these parameters.

In answer to your question, if a shunned host uses a different source

port, the packet should not get through. In your example, perhaps the

second packet got through before the shun took effect. It takes a finite

period of time for the IDS to complete the router configuration for

a shun. Check the timestamps for the two commands listed. If they

are less than a couple of seconds apart, it is likely that this happened.

204
Views
0
Helpful
2
Replies