cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
288
Views
0
Helpful
2
Replies

IDS Shunning Notification

dennis.ng
Level 1
Level 1

Hi,

I'm using CSPM 2.3.3i to manage IDS sensor 3.1 with IOS router for block malicious attack (shunning), but how can CSPM configure to send notification to administrator, then tell them what IP address(es) were blocked by ACL at that moment? And can I also generate it from the CSPM report? Thanks

Any feedback would be appreciated.

Regards, Dennis

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

Unfortunately CSPM doesn't provide any notifications that an IP address was shunned, simply because shunning is carried out by the sensor, not by CSPM. The only place to get a listing of what was shunned is by going through the log file on the sensor itself and searching for the shun keyword. The sensor is a UNIX file system so you can grep all these lines out of the log file on a regular basis or whatever suits you best.

Log file is /usr/nr/var/log.$DATETIME, which is regularly copied and written to /usr/nr/var/new/log.yyyymmddhhmm.

Hi Glenn,

Thanks for your response.

But may i know it can do that in VMS, or future version IDS v4?

Regard,

Dennis.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: