In the monitoring, I don't see the rate limit log. Let me try it again.
With regards Kings On Tue, Dec 1, 2009 at 6:37 PM, Stuart Hare <[email protected]>wrote: > Ok so if the sensor is successfully logging into the device, check > the under the monitoring tab in IDM to see if the sensor has added an entry > for the block/rate limit, in the respective sections. Maybe the sensor > thinks that the block or rate limit is already applied. You can clear these > entries and try and fire the event again. > > Not sure whether this applies but after some playing with this previously, > Id say dont make any manual changes on the blocking devices, once the config > is applied by the sensor. This can lead to some unexpected behaviour. > > Stu > > 2009/12/1 Kingsley Charles <[email protected]> > >> Hi Stu >> >> I repeated many times and it is working for me with both for DES and 3DES. >> This time, I tried manual host block and then for the signature triggered >> host block. >> >> But the rate limit, is still a problem for me. >> >> I have configured a flood host signature and configured the action with >> rate limit. But I don't see, the QoS policy/class and service policy >> confgured on the >> router. >> >> But with "sh line" and "sh users" shows that sensor has established the >> connection with the router (blocking device). >> >> The profile, blocking device and interface has been configured. >> >> >> With regards >> Kings >> >> On Tue, Dec 1, 2009 at 2:54 PM, Stuart Hare <[email protected] >> > wrote: >> >>> Kings, >>> >>> Take a look through the IPexpert Lab3 detailed solution guide if you have >>> it for the IPS sections. >>> It covers both ASA and IOS blocking devices and includes rate limiting >>> also. >>> >>> Basically either algorithm should work. Where are you testing the SSH >>> from? >>> Double check your logs on the ASA to make sure that the IPS is not being >>> denied. >>> >>> Let me know if you still have issues? >>> >>> Stu >>> >>> 2009/12/1 Kingsley Charles <[email protected]> >>> >>> Hi Stu >>>> >>>> Even I am facing the issue, where the shun is not initiated on the ASA. >>>> The events O/P informs that the ASA is unreachable. >>>> >>>> But I am able to ping and ssh to the ASA. >>>> >>>> BTW, what is algorithm that you are using for SSH in the profile - DES >>>> or 3DES? >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Mon, Nov 30, 2009 at 6:04 PM, Stuart Hare < >>>> [email protected]> wrote: >>>> >>>>> Kings, >>>>> >>>>> Yes the IPS will try and apply the block or rate limit to all the >>>>> blocking devices it manages. >>>>> I have only really seen an issue like this when blocking to both IOS >>>>> and ASA devices. >>>>> Double check that all the devices can be managed by the IPS, and that >>>>> your blocking device profiles are correct. >>>>> >>>>> Stu >>>>> >>>>> 2009/11/30 Kingsley Charles <[email protected]> >>>>> >>>>>> Hi Stuart >>>>>> >>>>>> I am just trying to trigger a request block host and rate limit. >>>>>> >>>>>> The request block host is working and I see that the sesnor is >>>>>> configuring ACLs on the router (blocking device). >>>>>> >>>>>> If there are four blocking devices (routers) defined in the list, will >>>>>> the ACL be configured by the sensor on all the four devices interfaces >>>>>> when >>>>>> the signature is triggered? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> On Mon, Nov 30, 2009 at 1:48 PM, Stuart Hare < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Kings, >>>>>>> >>>>>>> Do you have a specific issue? If so can you explain further? >>>>>>> >>>>>>> Generally if you are having trouble with this its always a good idea >>>>>>> to check the logs of the blocking device itself, its more likely to >>>>>>> give you >>>>>>> more info as to whether the IPS can log in or why the block was failing. >>>>>>> >>>>>>> If you are doing requests to both ASA and IOS device using the >>>>>>> sensor, you typically will need to ignore the alerts for the ASA, when >>>>>>> and >>>>>>> IOS event is triggered, as it will only support the block host / shun >>>>>>> requests, hence the possible failures. >>>>>>> It would be good to supress these but I never managed to find a way. >>>>>>> >>>>>>> Stu >>>>>>> 2009/11/30 Kingsley Charles <[email protected]> >>>>>>> >>>>>>> Hi Stuart >>>>>>>> >>>>>>>> That's true, same here. I am not able to verify the functionality of >>>>>>>> request host block/rate limit because always I see login failure >>>>>>>> issues. >>>>>>>> >>>>>>>> I suceeded just once or twice. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> On Mon, Nov 30, 2009 at 12:03 PM, Stuart Hare < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Kings >>>>>>>>> >>>>>>>>> I found this a little frustrating myself especially considering >>>>>>>>> when you have asa as a blocking device, you get a lot of failure >>>>>>>>> messages in >>>>>>>>> the log due to certain methods being unsupported. Unfortunately I >>>>>>>>> couldn't >>>>>>>>> find a way to bypass this for certain devices. Not sure whether this >>>>>>>>> has >>>>>>>>> changed in the latest code though. >>>>>>>>> >>>>>>>>> Stu >>>>>>>>> >>>>>>>>> Sent from my iPhone >>>>>>>>> >>>>>>>>> >>>>>>>>> On 30 Nov 2009, at 05:57, Kingsley Charles < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> Hi all >>>>>>>>>> >>>>>>>>>> We can configure the sesnor to "Request block host"and "Request >>>>>>>>>> Rate limit." If these actions are configured for the signatures and >>>>>>>>>> the >>>>>>>>>> signatures are triggered, request is sent to >>>>>>>>>> routers/switches that are present in the blocking devcies list. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> My understanding is that the request is sent to all the devices in >>>>>>>>>> the blocking device list. >>>>>>>>>> >>>>>>>>>> In that case, the block request or rate limit will be also sent to >>>>>>>>>> devices that are not relevent to the attack. >>>>>>>>>> >>>>>>>>>> Is there any way where we can tie the blocking request or rate >>>>>>>>>> limit request triggered by signature to specific hosts or subset of >>>>>>>>>> hosts in >>>>>>>>>> the blocking device list defined in the sensor. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> With regards >>>>>>>>>> Kingsley Charles >>>>>>>>>> _______________________________________________ >>>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>>> please visit www.ipexpert.com >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
