Hi Stuart I am just trying to trigger a request block host and rate limit.
The request block host is working and I see that the sesnor is configuring ACLs on the router (blocking device). If there are four blocking devices (routers) defined in the list, will the ACL be configured by the sensor on all the four devices interfaces when the signature is triggered? With regards Kings On Mon, Nov 30, 2009 at 1:48 PM, Stuart Hare <[email protected]>wrote: > Kings, > > Do you have a specific issue? If so can you explain further? > > Generally if you are having trouble with this its always a good idea to > check the logs of the blocking device itself, its more likely to give you > more info as to whether the IPS can log in or why the block was failing. > > If you are doing requests to both ASA and IOS device using the sensor, you > typically will need to ignore the alerts for the ASA, when and IOS event is > triggered, as it will only support the block host / shun requests, hence the > possible failures. > It would be good to supress these but I never managed to find a way. > > Stu > 2009/11/30 Kingsley Charles <[email protected]> > > Hi Stuart >> >> That's true, same here. I am not able to verify the functionality of >> request host block/rate limit because always I see login failure issues. >> >> I suceeded just once or twice. >> >> >> >> With regards >> Kings >> >> On Mon, Nov 30, 2009 at 12:03 PM, Stuart Hare < >> [email protected]> wrote: >> >>> Kings >>> >>> I found this a little frustrating myself especially considering when you >>> have asa as a blocking device, you get a lot of failure messages in the log >>> due to certain methods being unsupported. Unfortunately I couldn't find a >>> way to bypass this for certain devices. Not sure whether this has changed in >>> the latest code though. >>> >>> Stu >>> >>> Sent from my iPhone >>> >>> >>> On 30 Nov 2009, at 05:57, Kingsley Charles <[email protected]> >>> wrote: >>> >>> Hi all >>>> >>>> We can configure the sesnor to "Request block host"and "Request Rate >>>> limit." If these actions are configured for the signatures and the >>>> signatures are triggered, request is sent to >>>> routers/switches that are present in the blocking devcies list. >>>> >>>> >>>> My understanding is that the request is sent to all the devices in the >>>> blocking device list. >>>> >>>> In that case, the block request or rate limit will be also sent to >>>> devices that are not relevent to the attack. >>>> >>>> Is there any way where we can tie the blocking request or rate limit >>>> request triggered by signature to specific hosts or subset of hosts in the >>>> blocking device list defined in the sensor. >>>> >>>> >>>> >>>> With regards >>>> Kingsley Charles >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
