Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
0
Helpful
6
Replies

shunning

kowalm
Level 1
Level 1

‎01-28-2004 02:49 PM - edited ‎03-09-2019 06:15 AM

I'm interested in getting a IDS, but have one question. I know the IDS can do shunning on a router or PIX firewall. I was wondering if it is easy/possible to set it to shun a particular IP when the IDS detects someone doing a general port scan (on any port)?

Labels:
0 Helpful
6 Replies 6

gfullage
Cisco Employee
Cisco Employee

‎01-28-2004 04:13 PM

Port scans will be detected by the IDS, and if you then set up that signature for blocking, then the sensor will write an access-list or use the "shun" command on a PIX to block all packets from that source host.

The configuration is quite simple, just configure the IP and login parameters for the router/PIX so the sensor can SSH into it, and enable blocking for the particular signature (checking a box).

0 Helpful

kowalm
Level 1
Level 1
In response to gfullage

‎01-28-2004 06:11 PM

So there is a signature for general ports scans?

If setup correctly, if I were to start scanning the network with on a random port, I should be shunned within seconds?

0 Helpful

bfl1
Level 1
Level 1
In response to kowalm

‎01-29-2004 06:22 AM

Yes, you would be shunned almost immediately - there is very little lag time involved. Careful with shunning on port scans, as MANY MANY and I repeat MANY MANY Microsoft products trigger nmap port sweeps ALL the time... DNS triggers port sweeps, SMS, Active Directory, etc... I suggest you spend a good amount of time learning your network, capturing traffic, and analyzing to see if it's legit... set up filters ... then look at blocking features...

0 Helpful

kowalm
Level 1
Level 1
In response to bfl1

‎01-29-2004 07:07 AM

I'm looking to shun anyone outside of my network doing scans for services. I've been watching the traffic/port scans into my network and most of it seems to be either virus related (DCOM port scans for example) or someone scanning for http or ssh servers, etc.

I think I should be good there.

0 Helpful

bbenton
Level 1
Level 1
In response to bfl1

‎01-29-2004 08:47 AM

Understand it can take a few seconds, so scans that fire many probes per second will still get through before the IDS can get the shun applied. We see this continuously, so be prepared for it.

0 Helpful

kowalm
Level 1
Level 1
In response to bbenton

‎01-29-2004 11:12 AM

I'd like the shun to be applied before the person scanning reaches over 10,000 flows. A scan reaches 40,000 flows just kills everything. I'm hoping the IDS can catch it and shun before it goes over 10,000.

0 Helpful
Customers Also Viewed These Support Documents