Cisco Support Community
Community Member

Standard Blocking List?

I have set up an IDS-4210 (Ver 3.1(3)S42) and a PIX-506 with blocking. I have verified that the shunning does work by adding manual blocks in the IDS and verifying them in the PIX.

Is there a list of critical or common signatures to trigger a block? As it is now, it appears that I need to review 47 pages of signatures and decide if blocking is appropriate for each one. I realize that each network has different needs and types of traffic, however, there are signatures that are only triggered for malicious activity. If I can begin by impletementing blocking for the most common security violations, I am then pro-actively protecting my network.

Cisco Employee

Re: Standard Blocking List?

A good rule of thumb is to not implement general automatic blocking for a week or two after installation.

The reason is that during this first week or two is when you are going to be tuning your sensor. You will need to either disable signatures that are firing with your normal network traffic or use RecordOfExcludedPattern to prevent the signatures from firing with your Internal Address ranges.

You will want to initially concentrate on the High severity alarms.

Once you have tuned your sensor so any new High severity alarms are legitimate alarms (and not from normal traffic on your network) then move on to the next stage.

You will need to evaluate your network and determine which ipaddresses/networks you want to Never bu shunned. Places these addresses/networks into your NeverShun list when configuring the sensor.

Then start turning on Blocking for some of the High Level alarms (best candidates are the once you've seen firing during the first 2 weeks). I would start with a few signatures at first until you are comfortable with the affect that shunning has on your Pix and network.

You may need to add additional NeverShun addresses/networks at this stage, or increase/decrease the number of shuns active at any one time (configurable on the sensor), or possibly change which devices are being managed or even add more devices to be managed by the sensor.

Then continue adding the shunning action to the other High severity signatures.

Once you have gotten through most or all of the Highs then you can start adding the Medium severity signatures.

NOTE: In case you hadn't realized, the terms shunning and blocking mean the same thing in Cisco IDS. Some interfaces changed from shunning to blocking to be better understood overseas.

NOTE2: For most signatures, the shunning will not prevent the attack, but is a way to respond to the attack. The attack is already underway and may even be complete when the sensor alarms, and the shun is executed. This is because the sensor sees the attack packets at the same time that the destination sees the packets. So we are unable to prevent the destination from seeing the packet.

What shunning does do is prevent future attacks from the same source, and prevents the source from continuing the attack. If the attack gained the user root access, the shun prevents the user from doing anything with the root access because the attacker can no longer reach the destination machine. It also helps prevent the same attacker executing attacks against other machines on the same network.

CreatePlease to create content