Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What action should be taken, block/reset or both?

I have a question regarding blocking or sending a reset.

Is there any hard and fast rule with regards to choosing whether to block or send a reset>?

What I mean is for instance

1. For a signature that uses an ATOMIC.TCP or ATOMIC.UDP engine, do you block or reset or both.

2. For a signature that use the STRING.TCP or STRING.UDP, do you block, reset or both

Is there a list of recommend actions one should take following the receiving of an event if you where considering more than just logging?

New Member

Re: What action should be taken, block/reset or both?

The action I have my IDS take generally depends on the type of attack, or possibly severity.

1. A TCP reset can only be issued for TCP, hence the name.

2. Again, it depends on the type of attack as opposed to a string value.

I would also refer to the NSDB for a description of the signatures.