06-21-2002 04:11 AM - edited 03-08-2019 11:04 PM
When an attacking host is shunned, is the host shunned based on the source and destination port? Or by the IP address. In other words if the host uses a different source port will that packet get through the shunning device? Based on the logs I have from the IDS (see below) it appears that the next packet got through and thus a second shun was executed. (If the shun is based on the IP address the second packet would to have been detected by the IDS - IDS is inside the shunning device)
EXEC ShunHost x.143.0.210 120 y.170.240.51 3576 80 TCP
EXEC ShunHost x.143.0.210 120 y.170.240.51 3578 80 TCP
Now here is what is interesting: When I send an ICMP packet to the shunned source, the replies back from the host are shunned. This seems to indicate that the shun is based on the IP address.
Is there a conflict here?
Thanks in advance,
Chris
06-21-2002 05:52 AM
The shuns are based upon the ip address. Managed controls what ip's are shunned. The message you saw in the log was from packetd. It still detects the alarms. However, the second alarm would have extended the time of the shun (reset the start time to that of the second alarm).
06-21-2002 05:57 AM
Shunning is based on the IP address only. The destination ip, source port, destination port and protocol is ignored in current versions of IDS and
IDSM. However, in a future version you will have the option of conditional
shunning, based on all of these parameters.
In answer to your question, if a shunned host uses a different source
port, the packet should not get through. In your example, perhaps the
second packet got through before the shun took effect. It takes a finite
period of time for the IDS to complete the router configuration for
a shun. Check the timestamps for the two commands listed. If they
are less than a couple of seconds apart, it is likely that this happened.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: