Solved

IDS Attacks response

Posted on 2004-09-01
9
249 Views
Last Modified: 2010-04-09
Hi

I have an IDS configured in the network, im using the IEV monitor and im able to see the attacks by their Ip address,
by i want to know the action that has been taken to prevent this attacks?

Thanks


0
Comment
Question by:ibmas4002
  • 4
  • 3
  • 2
9 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 11953479
IF you have a router with acls (Access Control Lists) or a firewall you can block the specific IP addresses.  You can also use ripe to find out the abuse address for their netblock and report their abuse, and get them dropped by their ISP.
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11955573
Thanks Liddler

I have event viwer installed, also i configured the blocking device. but the signatures its showing nothing in the actions.

so do i need to configure manually to take the actions??

thanks
0
 
LVL 18

Expert Comment

by:liddler
ID: 11955951
Sorry I don't know IEV, you'll have to look at the cisco? docs
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11956180
Configure the network IDS with an active port that it can send TCP RST packets to and/or actively modify the upstream router ACL.
Alternatively, buy an inline IPS - Intrusion Prevention System, which will do all this for you...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:ibmas4002
ID: 11957489
Hi  tim_holman

can you explain how to configure the IDS for TCP RST flag.

Thanks
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11957658
What's the exact make and model of your NIDS, and what do you use to manage it  ?
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11960132
i have 4215 and its connected to the external switch.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 11961693
Does the external switch support ACLs ?
The way you'd normally set these up would be:

Internet
|
Router
|
IDS
|
Internal network

..and if the IDS detects anything odd then configure it to modify the router's ACL.

It cannot directly prevent attacks, although it can send RST packets to the originator to reset the session, but then why bother communicating back to the source - just block it with the ACL.

Instructions using IDSM are here:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00801a0c83.html

Look under Configuring Blocking:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00801a0c83.html#32394
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11994870
Thanks  tim_holman

its useful
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fortinet FWs backdoor vulnerability 3 87
How to Access NetScaler admin URL from external source 8 1,039
TMG Firewall website policy 2 142
Firewall question 5 92
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now