Hi Tyson I have configured a custom flood host signature matching icmp reply. I see the alert generated when the sig triggers but not the rate limit log.
I will again try with the sigs that you have mentioned With regards Kings On Tue, Dec 1, 2009 at 7:00 PM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > There are 9 signatures that are supported for rate-limiting: 2152, 2153, > 4002, 6901, 6902, 6903, 6910, 6920, 3050. Is it alarming on one of these > signatures when you look at the event log? Does the event log report any > errors when it connects. in the blocking device settings you have it > checked for rate-liimiting? Under “Router Blocking Device Interface(s)” You > have configured the interface you want rate-limiting applied to? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Tuesday, December 01, 2009 7:49 AM > *To:* Tyson Scott > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPS rate limit and request host > blocking > > > > Hi Tyson > > > > The rate-limit command is not getting configured but I see the sensor > establishing the connection to the router and also alert is generated to > logs. > > > > What would I be missing? > > > > With regards > > Kings > > On Tue, Dec 1, 2009 at 5:47 PM, Tyson Scott <[email protected]> wrote: > > Kingsley, > > > > The IPS uses the rate-limit command with an access-list under the interface > you have selected to apply it to. It uses the legacy method. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, December 01, 2009 5:34 AM > *To:* Stuart Hare > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPS rate limit and request host > blocking > > > > Hi Stu > > > > I repeated many times and it is working for me with both for DES and 3DES. > This time, I tried manual host block and then for the signature triggered > host block. > > > > But the rate limit, is still a problem for me. > > > > I have configured a flood host signature and configured the action with > rate limit. But I don't see, the QoS policy/class and service policy > confgured on the > > router. > > > > But with "sh line" and "sh users" shows that sensor has established the > connection with the router (blocking device). > > > > The profile, blocking device and interface has been configured. > > > > > > With regards > > Kings > > On Tue, Dec 1, 2009 at 2:54 PM, Stuart Hare <[email protected]> > wrote: > > Kings, > > > > Take a look through the IPexpert Lab3 detailed solution guide if you have > it for the IPS sections. > > It covers both ASA and IOS blocking devices and includes rate limiting > also. > > > > Basically either algorithm should work. Where are you testing the SSH from? > > Double check your logs on the ASA to make sure that the IPS is not being > denied. > > > > Let me know if you still have issues? > > > > Stu > > 2009/12/1 Kingsley Charles <[email protected]> > > > > Hi Stu > > > > Even I am facing the issue, where the shun is not initiated on the ASA. The > events O/P informs that the ASA is unreachable. > > > > But I am able to ping and ssh to the ASA. > > > > BTW, what is algorithm that you are using for SSH in the profile - DES or > 3DES? > > > > > > With regards > > Kings > > On Mon, Nov 30, 2009 at 6:04 PM, Stuart Hare <[email protected]> > wrote: > > Kings, > > > > Yes the IPS will try and apply the block or rate limit to all the blocking > devices it manages. > > I have only really seen an issue like this when blocking to both IOS and > ASA devices. > > Double check that all the devices can be managed by the IPS, and that your > blocking device profiles are correct. > > > > Stu > > 2009/11/30 Kingsley Charles <[email protected]> > > Hi Stuart > > > > I am just trying to trigger a request block host and rate limit. > > > > The request block host is working and I see that the sesnor is configuring > ACLs on the router (blocking device). > > > > If there are four blocking devices (routers) defined in the list, will the > ACL be configured by the sensor on all the four devices interfaces when the > signature is triggered? > > > > > > > > > > > > With regards > > Kings > > On Mon, Nov 30, 2009 at 1:48 PM, Stuart Hare <[email protected]> > wrote: > > Kings, > > > > Do you have a specific issue? If so can you explain further? > > > > Generally if you are having trouble with this its always a good idea to > check the logs of the blocking device itself, its more likely to give you > more info as to whether the IPS can log in or why the block was failing. > > > > If you are doing requests to both ASA and IOS device using the sensor, you > typically will need to ignore the alerts for the ASA, when and IOS event is > triggered, as it will only support the block host / shun requests, hence the > possible failures. > > It would be good to supress these but I never managed to find a way. > > > > Stu > > 2009/11/30 Kingsley Charles <[email protected]> > > > > Hi Stuart > > > > That's true, same here. I am not able to verify the functionality of > request host block/rate limit because always I see login failure issues. > > > > I suceeded just once or twice. > > > > > > > > With regards > > Kings > > On Mon, Nov 30, 2009 at 12:03 PM, Stuart Hare <[email protected]> > wrote: > > Kings > > I found this a little frustrating myself especially considering when you > have asa as a blocking device, you get a lot of failure messages in the log > due to certain methods being unsupported. Unfortunately I couldn't find a > way to bypass this for certain devices. Not sure whether this has changed in > the latest code though. > > Stu > > Sent from my iPhone > > > > On 30 Nov 2009, at 05:57, Kingsley Charles <[email protected]> > wrote: > > Hi all > > We can configure the sesnor to "Request block host"and "Request Rate > limit." If these actions are configured for the signatures and the > signatures are triggered, request is sent to > routers/switches that are present in the blocking devcies list. > > > My understanding is that the request is sent to all the devices in the > blocking device list. > > In that case, the block request or rate limit will be also sent to devices > that are not relevent to the attack. > > Is there any way where we can tie the blocking request or rate limit > request triggered by signature to specific hosts or subset of hosts in the > blocking device list defined in the sensor. > > > > With regards > Kingsley Charles > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > > > > > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
