Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
0
Helpful
2
Replies

Preferred method for blocking a source IP on IPS 7?

mike.siegel
Level 1
Level 1

‎02-13-2012 09:56 AM - edited ‎03-10-2019 05:36 AM

Is there any advantage to creating a custom atomic signature that blocks the IP address vs making a host block that does not time out?  Seems to me the first would give a lot more logging options, but the second method would be a bit simpler for engineers to maintain.  Is there an official prefered method?  Basically for manual blacklisting.

Labels:
0 Helpful
2 Replies 2

rhermes
Level 7
Level 7

‎02-13-2012 11:42 AM

Do you want to block ALL the traffic from a static IP address?

I'm not so sure that an IPS Sensor is the proper platform for manual blacklisting. Wouldn't you rather use your firewall or router that already has static ACLs? Either of them can log attempts.

The IPS can capture packets, but if you're blocking connections, you will only get to see one side attempt to initiate a connection. Using a custom signature that will fire every time a known bad actor attempts a connection could be a waste of sensor resources.

Maybe I don't understand what you're trying to achieve.

- Bob

0 Helpful

game123
Level 1
Level 1

‎02-16-2012 12:36 AM

All depends on your scenario and policy requirements of your company , soc or management !

Cisco ips is very good and now scads signatures are also available in latest E4

Kamran

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card