06-27-2004 09:04 PM - edited 03-09-2019 07:52 AM
Hi i am trying to test the Blocking feature on 4215 and have not been successful. I am getting the signature triggerred and it shows up in the event viewer. In the alarm it is saying shun is "true"
The objective is that Sensor should input an access-list on ethernet 0/0 denying traffic sourced from R5
Scenario.
vlan 15 (this contains the command and control Interface of the sensor) and another pc which has eventviewer -> [ethernet 0/1 (150.50.15.101)] -> Router R1 -> [ethernet0/0
[150.50.12.1] --> vlan 2 (monitoring interface of the ids sensor) ---> RouterR4 -> Router R5.
I cross checked the following.
1 Allowed host contains 150.50.15.101. Also confirmed that I can ping from the sensor.
2 Signature has Shun Host and connection enabled. Also when we initate the attack I get a notification on the eventviewer that the alarm has triggerred and shun is
true. When I enabled tcp reset is also reset the telnet connection when it contained the attackstring.
3 Configuration. Blocking is enabled. Allow sensor to be blocked is disabled. Never Block contains no networks.
4 Logical Devices has routerr1 with telnet and enable password cisco.
5 Blocking device has 150.50.15.101, Device-type Router, Logical Device routerr1, Communication telnet.
6 Blocking Interface FastEthernet0/0. Blocking Direction in. No pre Block or post block configured.
7 Since this is the only sensor no master blocking sensor configured.
I have confirmed that I can telnet to the router with the ipaddress 150.50.15.101 from another host in thesame vlan 15 with login password cisco enable password cisco.
Also Under Administration I see under Manual Blocking I see the ip address (R5) being blocked and the time remaining after I initate the attack.
Whatever I do I still do not see the access-list generated on the router.
sh statistics networkAccess gives me the following
IDSRack11# sh statistics networkAccess
Current Configuration
AllowSensorShun = false
ShunMaxEntries = 50
NetDevice
Type = Cisco
IP = 150.50.15.101
NATAddr = 0.0.0.0
Communications = telnet
ShunInterface
InterfaceName = FastEthernet0/0
InterfaceDirection = in
State
ShunEnable = true
NetDevice
IP = 150.50.15.101
AclSupport = uses Named ACLs
State = Inactive
ShunnedAddr
Host
IP = 150.50.24.4
ShunMinutes = 15
MinutesRemaining = 2
Note the State has always been Inactive whatever I do.Is it something with the IDS version or Box I have.
Can somebody please help.
Version of Sensor 4.1(4)S99
Router version 12.2(15)T12
Regards,
Mohammed Ibrahim
06-28-2004 07:20 PM
Hi Mohammed,
I have the same problem. I am using the 4215 with pix 501. I opened debug in pix and I can see the IDS logon to the pix and issue "show shun" command but Even I launch an ICMP attack to pix, and the IDS can detect the attack, but it did not shun the host in pix.
However, manual blocking works.
Can anybody explain the reason?
Thanks!
Best Regards
Teru Lei
06-29-2004 06:40 AM
Yours sounds lke a different problem. Are you sure the sensor is alarming on the ICMP attack? If so, using IDM go to the administration -> manual blocking -> host block tab, Is the host being blocked there?
Jim
06-29-2004 05:35 PM
Hi Jim,
The alarm is on. I can see the events when I send ICMP packets. Alarm serverity:high, event action: log reset shunhost shunconnection zero.
"using IDM go to the administration -> manual blocking -> host block tab" I can not see the host there.
Best Regards
Teru Lei
06-29-2004 07:22 PM
I know where's the problem now. Thanks Jim.
Best Regards
Teru Lei
06-29-2004 07:24 PM
I am a little confused by your event actions. Are you doing all the options? you should not have both shun host and shun connection selected. That will not stop anything but the shun host should take priority. Zero should only be selected to clear all the actions. You should not select it and anything else.
Try removing Zero and shun connection. Click on OK then Save the changes.
Wait 15 minutes then try the alarm again. Look at the admin manual blocking host tab again. The block should be there.
If not, can you log into the cli and post the output of the show statistics networkAccess command please.
Jim
06-29-2004 06:37 AM
There are a couple things you can try:
1. Log into the sensor as service and su - root. Then telnet to the router and enter the exact same things you entered in the Logical device. If that works, do a show int FastEthernet0/0 . If both work, log back off of the router and try option 2.
2. Using idm connect to the sensor.
- Open another connection to the sensors cli.
- Log in as cisco.
- Do a show ev error and leave it running.
- Go back to idm and under the blocking tab ->blocking devices, delete the device.
- Add the device back in.
- under router blocking interfaces, add the interface.
this should be enough to get nac to try and reconnect to the router. Look at the cli output, are there any errors? (It may take a minute to show up)
If not, do a ctrl c to break out of the show ev error output and do another show ev nac. Is it still inactive?
Try this and let me know.
06-29-2004 06:52 AM
1 more thing, do a show conf and page down to the Service Networkaccess area. The passwords etc you entered for the Logical device should appear here. Make sure this info is also correct.
Jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide