In article , arturo.servin wrote: :About the shun command.
:If it is configured for an offending host, will the Pix block all the :traffic to the offended host when the IDS (of the PIX)detect some :extrange behaivor or will always filter the traffic especified in the :shun command no matter if the IDS detect something?
shun is unconditional: all traffic to and from the designated host is -immediately- stopped (whereas an access-list change would only deal with -new- attempts.)
The idea is that when the IDS detects monkey business, it tells the PIX to shun the host, and it leaves it shunned until the IDS policies deem it safe to open up again (e.g. if the policy is a 10 minute block, then 10 minutes later the IDS would tell the PIX to stop shunning the host.)
If you do use shun, here's something to watch out for: each time the shunned system attempts to communicate, a log message is generated. If you log level and configuration so permit, that log message will be sent to your syslog server. The load generated by the log message may be more than the load generated by the attacking host itself :( Thus, depending on your needs, you might wish to specifically disable the shun log message.