Solved: Shunning a host on PIX 520 but alerts still arriving at IDS

b.withrow · ‎12-16-2002

Last week I was seeing allot of traffic coming from a particular host that was triggering IDS alerts. After investigating the source I added a SHUN statement to the pix. When I do a 'sho shun stat' the cnt for that host is fairly high (352) and is climbing. I'm still getting alerts from the IDS on this particular host (IP Fragment and Host sweeps). I assumed that if I was shunning an IP I wouldn't get alerts from the IDS on it. Can anyone explain what I am doing wrong? Thanks in advance.

jekrauss · ‎12-16-2002

Seems obvious, but can't hurt to ask - where is the sniffing interface of your sensor located? Obviously, if your sniffing interface is located outside of the pix, then the undesired traffic will still reach the pix - it just won't get through it.

Also, are you shunning that host for those alarms? Does a "show shun" show that host being blocked DURING the time that you are seeing alerts for that particular host?

Jeff

View solution in original post

jekrauss · ‎12-16-2002

Seems obvious, but can't hurt to ask - where is the sniffing interface of your sensor located? Obviously, if your sniffing interface is located outside of the pix, then the undesired traffic will still reach the pix - it just won't get through it.

Also, are you shunning that host for those alarms? Does a "show shun" show that host being blocked DURING the time that you are seeing alerts for that particular host?

Jeff

b.withrow · ‎12-17-2002

Thanks for the input. You are correct in assuming the IDS is on the Outside of the firewall. So that explains why I see the alerts yet the IP is being shunned. Thanks again.