02-13-2012 09:56 AM - edited 03-10-2019 05:36 AM
Is there any advantage to creating a custom atomic signature that blocks the IP address vs making a host block that does not time out? Seems to me the first would give a lot more logging options, but the second method would be a bit simpler for engineers to maintain. Is there an official prefered method? Basically for manual blacklisting.
02-13-2012 11:42 AM
Do you want to block ALL the traffic from a static IP address?
I'm not so sure that an IPS Sensor is the proper platform for manual blacklisting. Wouldn't you rather use your firewall or router that already has static ACLs? Either of them can log attempts.
The IPS can capture packets, but if you're blocking connections, you will only get to see one side attempt to initiate a connection. Using a custom signature that will fire every time a known bad actor attempts a connection could be a waste of sensor resources.
Maybe I don't understand what you're trying to achieve.
- Bob
02-16-2012 12:36 AM
All depends on your scenario and policy requirements of your company , soc or management !
Cisco ips is very good and now scads signatures are also available in latest E4
Kamran
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide