08-11-2008 05:53 AM - edited 03-10-2019 04:14 AM
How do you shun with an IDS while in command line? I know how to shun from the GUI but I haven't been able to find the command string to shun from CLI.
I will have the 4200 (6.0) send shuns to a PIX 7.0.
Solved! Go to Solution.
08-11-2008 08:29 AM
Have a look at this:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliBlock.html#wp1066202
Regards
Farrukh
08-11-2008 10:16 AM
The link provided works for IPS 6.0 and earlier. But is not really recommended.
In IPS 6.1 a new "block" command was added into the CLI to support blocking:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html
The difference is that in 6.0 the cli method actually added the Blocked Host into the "configuration" of the sensor. It is managed differently than entries added dynamically by sensorApp during signature triggerings or added through IDM (or IME). The biggest difference is that all "configuration" blocks are considered permamnent (not time based). If you remove a "configuration" block it does not actually get removed. You have to remove the "configuration" block AND then go through IDM and remove it again. Because when a "configuration" block gets removed, the block still exists but is now managed the way IDM blocks are managed. So it must be removed twice.
The intention is to remove the "configuration" blocks in future versions, and instead a new "block" CLI command is added in IPS 6.1. The new "block" command is managed the same way as the IDM blocking.
So if you want to manage blocking through the CLI you should really upgrade to IPS 6.1. If using IPS 6.0 or earlier you are better off only using IDM.
For IPS 6.1 "block" command examples:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html#wp1066202
08-11-2008 08:29 AM
Have a look at this:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliBlock.html#wp1066202
Regards
Farrukh
08-11-2008 09:49 AM
I had not seen the link you provided. I do now. Thanks
08-11-2008 10:16 AM
The link provided works for IPS 6.0 and earlier. But is not really recommended.
In IPS 6.1 a new "block" command was added into the CLI to support blocking:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html
The difference is that in 6.0 the cli method actually added the Blocked Host into the "configuration" of the sensor. It is managed differently than entries added dynamically by sensorApp during signature triggerings or added through IDM (or IME). The biggest difference is that all "configuration" blocks are considered permamnent (not time based). If you remove a "configuration" block it does not actually get removed. You have to remove the "configuration" block AND then go through IDM and remove it again. Because when a "configuration" block gets removed, the block still exists but is now managed the way IDM blocks are managed. So it must be removed twice.
The intention is to remove the "configuration" blocks in future versions, and instead a new "block" CLI command is added in IPS 6.1. The new "block" command is managed the same way as the IDM blocking.
So if you want to manage blocking through the CLI you should really upgrade to IPS 6.1. If using IPS 6.0 or earlier you are better off only using IDM.
For IPS 6.1 "block" command examples:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html#wp1066202
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide