Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
942
Views
0
Helpful
1
Replies

IOS IPS Blocking Question

Kryptkeeper
Level 1
Level 1

‎08-11-2011 05:21 PM - edited ‎03-10-2019 05:26 AM

All,

     I have been playing with IOS IPS. I set up an event action override to block when a certain risk rating was triggered. It worked correctly as expected. Then when I changed the risk rating, in the event action override, where it shouldn't have blocked the traffic, the traffic was still denied.

     I tried searching for a command to view block attackers but couldn't find anything. Is there a way to view who is blocked, and unblock? Any assistance would be appreciated. Thanks.

Labels:
0 Helpful
1 Reply 1

Dustin Ralich
Cisco Employee
Cisco Employee

‎08-31-2011 11:30 AM

Are you sure this is on an IOS IPS device (i.e. setup in the IOS software itself on a router) or is it an actual sensor device (AIM-IPS sensor module, NME-IPS sensor module, 4200-series sensor appliance, etc.)?

Can you post a copy (or readable screenshot) of the relevant portions of your config?

On IPS devices, if you invoke a Deny Attacker Action, it will remain in effect for 1 hour (by-default). Likewise, Request Block Actions remain in effect for 30 minutes (by-default). So, if such an Action was triggered, even if future traffic from the same host did not match your modified EAO, the Action(s) would still be in-place for the duration of the timer(s).

In that regard, on IPS devices, you can view the current Denied Attackers list via the 'show statistics denied-attackers' command and the Blocked Hosts list via the 'show statistics network-access' command.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card