08-04-2004 03:28 AM - edited 02-20-2020 11:32 PM
If I try to scan a server with <172.16.1.5> using the tool NMAP with faked IP source address :
"nmap -sF -S 10.1.1.1 -e alb0 172.16.1.5" where
-sF (FIN scan, could be other scans also)
-S 10.1.1.1 (faked source)
-e alb0 (interface, usually eth0)
172.16.1.5 (victim)
The PIX silently blocks any traffic from 10.1.1.1 to 172.16.1.5 for about half an hour !!! The result is that anybody with NMAP can block traffic from the real IP address (fake source in NMAP syntax) to the server IP address. This could be used to make a DOS attack.
PIX does not LOG a single word about attack or traffic_blocking !?
08-04-2004 03:51 AM
The default setting for blocking on the 4.1 sensor is 30 minutes. You can easily change this under the Configuration/Blocking/Blocking Properties menu. Once configured, add the blocking field to your IEV. This will give you the ability to see on the IDS if a blocking action has taken place.
08-04-2004 04:03 AM
I am talking about PIX blocking traffic. PIX is not in any way configured to work together with IDS sensor. This behaviour is only PIX related. PIX version 6.3(3).
08-04-2004 04:16 AM
My mistake, just assumed that it was IDS related on this forum.
08-04-2004 05:08 AM
If you don't get an answer here on the IDS Forum then I would suggest trying the Firewall Forum:
09-10-2004 01:35 AM
Sorry to say but this turned out to be our fault. PIX was not blocking traffic, it was done by Symantec Firewall on a PC. Nothing to do with PIX. Issue is solved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide