Re: Blocking not working on 4215

mohammed.ibrahim · ‎06-27-2004

Hi i am trying to test the Blocking feature on 4215 and have not been successful. I am getting the signature triggerred and it shows up in the event viewer. In the alarm it is saying shun is "true"

The objective is that Sensor should input an access-list on ethernet 0/0 denying traffic sourced from R5

Scenario.

vlan 15 (this contains the command and control Interface of the sensor) and another pc which has eventviewer -> [ethernet 0/1 (150.50.15.101)] -> Router R1 -> [ethernet0/0

[150.50.12.1] --> vlan 2 (monitoring interface of the ids sensor) ---> RouterR4 -> Router R5.

I cross checked the following.

1 Allowed host contains 150.50.15.101. Also confirmed that I can ping from the sensor.

2 Signature has Shun Host and connection enabled. Also when we initate the attack I get a notification on the eventviewer that the alarm has triggerred and shun is

true. When I enabled tcp reset is also reset the telnet connection when it contained the attackstring.

3 Configuration. Blocking is enabled. Allow sensor to be blocked is disabled. Never Block contains no networks.

4 Logical Devices has routerr1 with telnet and enable password cisco.

5 Blocking device has 150.50.15.101, Device-type Router, Logical Device routerr1, Communication telnet.

6 Blocking Interface FastEthernet0/0. Blocking Direction in. No pre Block or post block configured.

7 Since this is the only sensor no master blocking sensor configured.

I have confirmed that I can telnet to the router with the ipaddress 150.50.15.101 from another host in thesame vlan 15 with login password cisco enable password cisco.

Also Under Administration I see under Manual Blocking I see the ip address (R5) being blocked and the time remaining after I initate the attack.

Whatever I do I still do not see the access-list generated on the router.

sh statistics networkAccess gives me the following

IDSRack11# sh statistics networkAccess

Current Configuration

AllowSensorShun = false

ShunMaxEntries = 50

NetDevice

Type = Cisco

IP = 150.50.15.101

NATAddr = 0.0.0.0

Communications = telnet

ShunInterface

InterfaceName = FastEthernet0/0

InterfaceDirection = in

State

ShunEnable = true

NetDevice

IP = 150.50.15.101

AclSupport = uses Named ACLs

State = Inactive

ShunnedAddr

Host

IP = 150.50.24.4

ShunMinutes = 15

MinutesRemaining = 2

Note the State has always been Inactive whatever I do.Is it something with the IDS version or Box I have.

Can somebody please help.

Version of Sensor 4.1(4)S99

Router version 12.2(15)T12

Regards,

Mohammed Ibrahim

teru-lei · ‎06-28-2004

Hi Mohammed,

I have the same problem. I am using the 4215 with pix 501. I opened debug in pix and I can see the IDS logon to the pix and issue "show shun" command but Even I launch an ICMP attack to pix, and the IDS can detect the attack, but it did not shun the host in pix.

However, manual blocking works.

Can anybody explain the reason?

Thanks!

Best Regards

Teru Lei

jlively · ‎06-29-2004

Yours sounds lke a different problem. Are you sure the sensor is alarming on the ICMP attack? If so, using IDM go to the administration -> manual blocking -> host block tab, Is the host being blocked there?

Jim

teru-lei · ‎06-29-2004

Hi Jim,

The alarm is on. I can see the events when I send ICMP packets. Alarm serverity:high, event action: log reset shunhost shunconnection zero.

"using IDM go to the administration -> manual blocking -> host block tab" I can not see the host there.

Best Regards

Teru Lei

teru-lei · ‎06-29-2004

I know where's the problem now. Thanks Jim.

Best Regards

Teru Lei

jlively · ‎06-29-2004

I am a little confused by your event actions. Are you doing all the options? you should not have both shun host and shun connection selected. That will not stop anything but the shun host should take priority. Zero should only be selected to clear all the actions. You should not select it and anything else.

Try removing Zero and shun connection. Click on OK then Save the changes.

Wait 15 minutes then try the alarm again. Look at the admin manual blocking host tab again. The block should be there.

If not, can you log into the cli and post the output of the show statistics networkAccess command please.

Jim

jlively · ‎06-29-2004

There are a couple things you can try:

1. Log into the sensor as service and su - root. Then telnet to the router and enter the exact same things you entered in the Logical device. If that works, do a show int FastEthernet0/0 . If both work, log back off of the router and try option 2.

2. Using idm connect to the sensor.

- Open another connection to the sensors cli.

- Log in as cisco.

- Do a show ev error and leave it running.

- Go back to idm and under the blocking tab ->blocking devices, delete the device.

- Add the device back in.

- under router blocking interfaces, add the interface.

this should be enough to get nac to try and reconnect to the router. Look at the cli output, are there any errors? (It may take a minute to show up)

If not, do a ctrl c to break out of the show ev error output and do another show ev nac. Is it still inactive?

Try this and let me know.

jlively · ‎06-29-2004

1 more thing, do a show conf and page down to the Service Networkaccess area. The passwords etc you entered for the Logical device should appear here. Make sure this info is also correct.

Jim