https://community.cisco.com/t5/network-security/ios-ips-blocking-question/m-p/1798345#M56451 <HTML><HEAD></HEAD><BODY><P>Are you sure this is on an IOS IPS device (i.e. setup in the IOS software itself on a router) or is it an actual sensor device (AIM-IPS sensor module, NME-IPS sensor module, 4200-series sensor appliance, etc.)?</P><P></P><P>Can you post a copy (or readable screenshot) of the relevant portions of your config?</P><P></P><P></P><P>On IPS devices, if you invoke a <EM>Deny Attacker</EM> Action, it will remain in effect for 1 hour (by-default). Likewise, <EM>Request Block</EM> Actions remain in effect for 30 minutes (by-default). So, if such an Action was triggered, even if future traffic from the same host did not match your modified EAO, the Action(s) would still be in-place for the duration of the timer(s).</P><P></P><P>In that regard, on IPS devices, you can view the current Denied Attackers list via the '<SPAN style="font-family: courier new,courier;">show statistics denied-attackers</SPAN>' command and the Blocked Hosts list via the '<SPAN style="font-family: courier new,courier;">show statistics network-access</SPAN>' command.</P></BODY></HTML> Wed, 31 Aug 2011 18:30:07 GMT Dustin Ralich 2011-08-31T18:30:07Z https://community.cisco.com/t5/network-security/ios-ips-blocking-question/m-p/1798344#M56450 <P>All,</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; I have been playing with IOS IPS. I set up an event action override to block when a certain risk rating was triggered. It worked correctly as expected. Then when I changed the risk rating, in the event action override, where it shouldn't have blocked the traffic, the traffic was still denied.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; I tried searching for a command to view block attackers but couldn't find anything. Is there a way to view who is blocked, and unblock? Any assistance would be appreciated. Thanks.</P> Sun, 10 Mar 2019 12:26:44 GMT https://community.cisco.com/t5/network-security/ios-ips-blocking-question/m-p/1798344#M56450 Kryptkeeper 2019-03-10T12:26:44Z https://community.cisco.com/t5/network-security/ios-ips-blocking-question/m-p/1798345#M56451 <HTML><HEAD></HEAD><BODY><P>Are you sure this is on an IOS IPS device (i.e. setup in the IOS software itself on a router) or is it an actual sensor device (AIM-IPS sensor module, NME-IPS sensor module, 4200-series sensor appliance, etc.)?</P><P></P><P>Can you post a copy (or readable screenshot) of the relevant portions of your config?</P><P></P><P></P><P>On IPS devices, if you invoke a <EM>Deny Attacker</EM> Action, it will remain in effect for 1 hour (by-default). Likewise, <EM>Request Block</EM> Actions remain in effect for 30 minutes (by-default). So, if such an Action was triggered, even if future traffic from the same host did not match your modified EAO, the Action(s) would still be in-place for the duration of the timer(s).</P><P></P><P>In that regard, on IPS devices, you can view the current Denied Attackers list via the '<SPAN style="font-family: courier new,courier;">show statistics denied-attackers</SPAN>' command and the Blocked Hosts list via the '<SPAN style="font-family: courier new,courier;">show statistics network-access</SPAN>' command.</P></BODY></HTML> Wed, 31 Aug 2011 18:30:07 GMT https://community.cisco.com/t5/network-security/ios-ips-blocking-question/m-p/1798345#M56451 Dustin Ralich 2011-08-31T18:30:07Z