cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
279
Views
0
Helpful
2
Replies

Shun question/suggestion re: Kazaa

jeff.roback
Level 1
Level 1

Is it currently possible to shun the Destination IP of an alarm?

For example, if one of my users tries to open a Kazaa session with a remote site, alarm 11005 fires. In this case the user is the source and the kazaa server is the destination. Currently I send a reset, but actually I'd like to temorarily shun the destination of the Kazaa GET request to be limit the functionality of Kazaa as much as possible. I don't want to Shun the source, since I only want to block the user's kazaa activity, not all internet activity. So is there any way to modify the shun functionality to shun the DESTINATION of the attack instead of the source for this alarm?

If I can't change the shun methodology, is it possible to modify the signature to reverse the source & destination ip in the signatures so that the shun will take the effect I want?

As a side thought, it'd be exceptionally cool if an IDS sensing outside a pix could do a port/ip lookup in the pix (via it's inside control interface) to give the true client IP address of clients being NATed through the pix.

Thanks!

2 Replies 2

jlively
Cisco Employee
Cisco Employee

you could turn FlipAddr on that would filp the source and dest ip sent to managed/nac

But the shun command has still been the same...

This only modified the event message.