Shunning with IDS 4.0 and PIX 6.2(2)

efink · ‎06-13-2003

1. I am trying to shun a host for 1 minute when a specific alarm is triggered. Shunning works O.K. but after 1 minute the entry in Block Host menu on IDS sensor dissappears but there's still a shun command on PIX. In other words it seems that the sensor passes the shun command to the PIX, but it doesn't pass the no shun properly.

Any suggestions ?

2. What is the difference between shunnig the connnection and shunning the host ? It' seems to me that both settings have the same outcome on PIX:

--- shun connection ----

Shun 195.210.201.225(10.5.0.187) 195.246.6.25 3046 80

--- shun host -----

Shun 195.210.201.225(10.5.0.187) 195.246.6.25 3314 80

Thanks in advance.

stleary · ‎06-13-2003

If the sensor is configured and working correctly then the shun should have

been removed from the PIX after it timed out. The most common reason

for a shun to remain on a blocking device after it times out on the sensor

is if communications with the blocking device has been lost. To check

this in IDM, click Monitoring/Statistics. Search for NetworkAccess Statistics.

The PIX device should be listed, and the state should be Active. If

not, then something is wrong with the sensor configuration for the PIX,

or possibly with network connectivity between sensor and PIX.

On the PIX, there is no difference between a host shun and a connection

shun. In either case, all packets from the attacking host are dropped

unconditionally.