I am not sure I really like the idea of automated IDS's putting ip's into a block database, but I do see some uses for it (if it knows the difference between spoofed ip's and won't block the root servers ;-)
It does, however make nessus testing difficult. Has anyone come up with a combination of nids evasion options that allow a good scan on a cisco IDS? I assume starting out with nmap by hand with -T paranoid, feeding it back to nessus. I tried setting the delay between tests to 15 mins (15*60*60) and am going to try some nids evasion options. I also was thinking about using the kb database (not rerunning tests) but have no way of knowing how far a scan went before the ip was auto blocked. Yes, I could put our ip in the exclude/allow range, but that would not test out any real work capability would it? -- Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/
