IDS TCP reset

Similar Questions

• 4235 IDS Sensor monitoring several VLANS & TCP Reset (packet Injection)

  I understand that the 4235 sensor can receive traffic are split to several VLANs than 802. 1 q tags have been placed on the switches (3750 of in this case).

  I have two questions (account required to the statement above in correct).

  1 is it possible to inject traffic (eg. reset the TCP sessions) in each of VLAN monitored (i.e. the 4235 would mark the package injected with good destination VLAN for the response) or only the native/actual VLAN the SPAN destination.

  2. is the traffic carried by the 4235 as coming from multiple virtual interfaces (eg. for the period of INVESTIGATION purpose spoof detection within each VIRTUAL local area network)?

  Thanks much for the reading of the same day. Any input greatly appriciated.

  On your second question, no. monitored traffic is considered as coming from a single virtual interface. The sensor reads the header of the vlan on the packages wrapped and includes with the alarm and more uses for TCP resets. But, you can apply signatures for traffic VLAN specific sensor is followed.

• TCP Reset and blocking

  I'm IPS-4270-20 configuration.

  I want to know how TCP Reset would reset a session without having an IP address.

  Then what interface would BOW orders blocking and rate limiting actions on managed devices.

  Kind regards

  Shahzad.

  Your switchports will be set to 'access' If you use the 'pair of inline physical interface' mode and it will be a trunk when you use "pair mode for vlan inline.

  And here's a post from Marc regarding the alternative tcp, its rarely need reset to:

  "Under most of the facilities the tcp reset interface replacement is not necessary.

  By default the ports TCP resets will come back on the same interface where the attack was detected.

  So if your interface promiscuity is connected to a 100 Mbps for tracking hub then the tcp reset will be sent back this same interface promiscuitee in the hub.

  Or if your interface promiscuity is connected to the span switch port, the tcp reset will be sent back the same interface of promiscuity in that span port.

  The question becomes is the sensor can send reset tcp, but if the switch will accept them. Various switches will accept from the span port tcp resets. Some switches require only an extra parameter on the extended configuration to tell the switch to allow incoming packets to the span port.

  BUT there are some switches that do NOT allow incoming packets of their span ports.

  These ituations are the reason for the replacement tcp reset the configuration of the interface.

  Need 2 remote sensing interfaces (one for surveillance of promiscuity and the used the other as just replacing tcp reset interface). The port command and control NOT allow as the other tcp reset interface.

  Connect to the interface promiscuity to the scope of the switch port. You configure the second interface as the alternate tcp reset interface of the first interface of promiscuity. Then plug the second interface on the switch of the saem (but do not have the 2nd one a span port).

  Now, when the sensor detects an attack on interface 1 it will NOT send tcp resets the interface 1, but rather will send the reset tcp on the 2nd interface.

  Given that the switch does not accept that the tcp resets since the span port you need of the second interface for tcp resets in the switch.

  It is also possible with taps where the taps (because the taps have no way to accept incoming packets).

  The alternative tcp reset interface configuration is ignored when it is configured for online tracking. It is used only with supervision of promiscuity. "

  Concerning

  Farrukh

• TCP resets

  Hi all

  I would like to get your comments on TCP resets sent from IPS running inline.  If the sensor is configured to deny the striker, refuse the connection or even refuse to package, is there a reason to send a TCP reset?  It seems to me that send a just reset confirms a valid IP address to the attacker.

  I can see the reason to reset if the IPS is running in "Promiscuous" mode, as you would like the host to severe inside the connection, but I do not see the advantage to send it when the IPS is already denied the connection in one form or another.

  Thoughts?

  Thank you

  Jeff S.

  The document says:

  Excerpt from http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliEvAct.html

  Inline package deny action is represented as an action of package ignored in the alert. When a package inline deny occurs for a TCP connection, it is automatically upgraded to an inline action to refuse the connection and considered a refusal flow in the alert. If IPS denies a single packet, TCP continues to try to send this packet even again and again, so IPS denies any connection to ensure forever, he succeeds with sends it again.

  In the case of a connection line refuse, the IPS automatically sends a one-way TCP reset, which appears as a unidirectional reset TCP sent in the alert. When the SPI refuses the connection, it leaves an open connection on the client (usually the attacker) and the server (usually the victim). Too many open connections can lead to problems of resources on the victim. So the IPS sends a TCP delivered the victim to close the connection on the side of victim (usually the server), who keeps the resources of the victim. It also prevents a switch which would also connect to switch to a different network path and reach the victim. The IPS leaves the side attacking and rejects all traffic of it.

  Deny connection line and deny attacking pair victim line seems to have the same effect in the end, except that "Deny the perpetrator victim pair Inline" has an entry in the big "Deny".

  I hope that answers your query

• Reset Reset TCP - O,-I, FINS

  Hello world

  hope you can help me with this problem. I m of the problems when connecting to a web service on a device. My ASA has 3 active interfaces, one for the headquarters within the network (internal), one for the ISP (outside) connection and the other for remote sites that connects through an MPLS (WAN). I m trying to connect to a web service on a printer from my seat at a remote office (of Interior to WAN); but I m of the random error messages on the monitor of ASA´s.

  If I try to connect to my laptop I get this messages

  

  It's the connection from the inside to the WAN interface.

  

  It says the connection was complete. No problems so far.

  But when I try to connect from another PC I get this message

  

  These are the messages from the inside to WAN

  

  This image shows that the connection has been reset. If no connection has been affermirai between devices. What does the Reset-O? but sometimes I don't get the TCP Reset-O message sometimes we get reset TCP-I've got the message.

  

  You can see the TCP-Rese I get the message on the first line.

  Not sure what is happening. some computers are able to access the web service other Don t. I am also a few tests, use my ip address (which works fine) in the other PC, but the problem persists, even with my ip address. Antivirus, Windows Firewall, antimalware, are all stop.

  Any computer on remote desktop can locally access the service without problem. However, they have problems of access to content services on the seat.

  I have ACLs in both, inside and WAN interface that allows communication between them, using Packet Tracer on the ASDM I can is the package allowed in each port number, because traffic I m allowing all without exception.

  

  can someone help me with this?

  Best regards

  Alvaro Rugama Cerda

  Hello Alvaro,

  On the capture outdoors

  From 24 packages we can see how the printer starts closing TCP harmonious with the package end package of 26 shows that the customer has agreed to the closure of the session and sends the packet END to close.

  Having 0 packages on how to capture ASP ASA is not abandoning the connection (capture ASP displays all packages being droped by the ASA).

  Any other questions?

  Looking for a Networking Assistance?
  Contact me directly to [email protected] / * /

  I will fix your problem as soon as POSSIBLE.

  See you soon,.

  Julio Segura Carvajal
  http://laguiadelnetworking.com

• using tcp replacement reset interface

  Hi I'm new to cisco ips. can someone tell me pls the function to use the alternative interface for tcp reset.

  I have 2 interfaces for IP addresses. a command and control and other interface is an interface in promiscious mode.

  without this command the ID can send some tcp resets. or because it uses a different interface for tcp resets.

  can someone tell me pls.

  concerning

  Assane

  Under most of the facilities the tcp replacement reset interface is not necessary.

  By default the ports TCP resets will come back on the same interface where the attack was detected.

  So if your interface promiscuity is connected to a 100 Mbps for tracking hub then the tcp reset will be sent back this same interface promiscuitee in the hub.

  Or if your interface promiscuity is connected to the span switch port, the tcp reset will be sent back the same interface of promiscuity in that span port.

  The question becomes is the sensor can send reset tcp, but if the switch will accept them. Various switches will accept from the span port tcp resets. Some switches require only an extra parameter on the extended configuration to tell the switch to allow incoming packets to the span port.

  BUT there are some switches that do NOT allow incoming packets of their span ports.

  These ituations are the reason for the replacement tcp reset the configuration of the interface.

  Need 2 remote sensing interfaces (one for surveillance of promiscuity and the used the other as just replacing tcp reset interface). The port command and control NOT allow as the other tcp reset interface.

  Connect to the interface promiscuity to the scope of the switch port. You configure the second interface as the alternate tcp reset interface of the first interface of promiscuity. Then plug the second interface on the switch of the saem (but do not have the 2nd one a span port).

  Now, when the sensor detects an attack on interface 1 it will NOT send tcp resets the interface 1, but rather will send the reset tcp on the 2nd interface.

  Given that the switch does not accept that the tcp resets since the span port you need of the second interface for tcp resets in the switch.

  It is also possible with taps where the taps (because the taps have no way to accept incoming packets).

  The alternative tcp reset interface configuration is ignored when it is configured for online tracking. It is used only with supervision of promiscuity.

• Reset TCP question

  I have a question about the TCP/IP communication. Let's say I have a device cisco running with off http server. If I send a TCP syn packet to the device with the port of destination 80/443(any non-listening port), the device responds by TCP RESET? Or it will simply fall package without any acknowledgement?

  I think it will be different from a device to:

  ASA will drop connection refused the services is not running, to do send reset use the command "resetoutside service" send reset to a TCP packet refused to the external interface.

  Default access points will reset

  Default routers will reset

  Default switches will reset

  Kind regards

  PS please rate and mark as right

• Reset TCP

  I can't configure the TCP Reset on my IPS 4255 in Promiscous mode.

  I declare a unique interface 0/0 IPS as a tcp reset, for interface 0/1 gig.

  but still does not. Please tell me how to configure and how to verify the configuration.

  Guidance TCP STRING signature custom "to the server' Telnet (Port 23). Match any string like 'abcd '. Now to telnet on the vlan SPLIT and then try to type abcd. as soon as you type "(the last letter) your telnet connection will be stuck :)

  Concerning

  Farrukh

• Basic IDS module configuration

  I have some basic configuration questions to ask questions about a module IDS in a router 3725.

  (NM-CIDS)

  1. the interface of the module must be configured as a normal interface like any other fast ethernet interface. If so, how do I enter the web configuration of the sensor? I can t give the sensor a IP on the same subnet as another interface, so I have to create a VLAN on my switch and install a new network adapter on a computer just to access the sensor?

  2. I want to use the sensor to monitor my internet connection. My internet come in the router where the sensor is, but not on the sensor interface. So I added the line: ID-service-module of surveillance on the internet interface. I m now, assuming that the sensor monitors this interface, but it can block t any IP address on it can it? Can I use the interface of s sensor as my internet connection? It will route traffic to the router as any other interface?

  3. If the probe to be on it's own subnet, I can get t the licensing of auto update, since this new subnet as no access to the internet.

  I must admit, I was a bit confused as the basis of this module menu, documentation is clear on how to implement and I did, I even upgraded the sensor to version 5.0, but the basic idea behind it and basic configuration is not clear, he only tells me the reasons for the separate subnet.

  Can someone guide me in the right direction?

  My goal is to install the sensor for connection to the internet society that is currently connected to a fast ethernet on the router card and send events to a syslog server that I'm being followed.

  Thank you

  Bernard Magny

  The NM-CIDS has 2 interfaces, you have to deal with.

  The internal interface on the backplane of the router and an external interface that you can plug a wire to.

  In addition, it has an interface of the router on the backplane of the NM-CIDS router. This background basket of the router interface and the internal interface of the NM-CIDS may be considered to be wired together.

  To think of the NM-CIDS, the simplest method is to consider a PC that sits inside the router.

  It can easily be compared to a device IDS.

  The internal of the NM-CIDS is the interface to sniff. NM - CIDS does not have this internal interface to an IP address. It is used only for the reception of packets from the router for the follow-up and sending TCP resets.

  The router has its bottom of basket interface that corresponds to this interface to internal sniffing NM-CIDS. You must obtain an IP address from the router interface NM - CIDS, but no traffic will never really "routed" to it. If most of the users will be either assign a non-routable address or a loopback address, or do share an address with an other interfaces of the router.

  This address is NOT used to configure or control the NM-CIDS using a nonroutable loopback address is often the best thing to do.

  This router interface and NM-CIDS background basket can best be compared to a port span on a switch controlled by a device.

  The "ids" command applied to a physical interface of the router is like "covering" this interface.

  The 'split' traffic is copied to the destination port "span", which is the bottom interface of router for the NM-CIDS basket. Once these packages are copied into the bottom of the router on the NM-CIDS slot basket, then the internal port of the NM-CIDS will sniff and analyze packets.

  If the real package comes in an interface of the router and get "routed" to another interface on the other. If there is an 'ID' command on one of these 2 interfaces then these packages will be also copied ("split") in the NM-CIDS for surveillance. So the NM-CIDS amd the corresponding interface from the router backplane are not in the path of the package and are only a copy of the package.

  NOTE: Technically, the package doesn't is not 'stride' because 'covering' is only taken in charge by a switch, but the majority of users to understand the concept. And the concept is what I'm trying to convey.

  Now the external port of the NM-CIDS is the port command and control. This is where you have assigned an IP address. Understand that this is NOT a router interface. He will not participate in routing protocols. All packets destined for this port will stop at the NM-CIDS.

  This port is better compared with the command and control of a device IDS sensor port. The port address is used only to talk directly to the IDS sensor.

  So what address to to affect?

  The best method is to give an address on your internal network more secure and phsyically in this network, all taking as you would for any other PC (or the port command and control of a device ID).

  Since this interface the NM-CIDS is not a router interface and does NOT participate in routing, then it's OK for the router itself to have an interface on the same subnet and be connected to the same switch and the same vlan as the external command and control NM-CIDS interface. In fact, it's exactly what most users do. In addition, IP from the router on that subnet is usually the default gateway configured on the NM-CIDS for its command and control interface. If you think that the NM - CID is a PC, so it makes sense.

  Some clients may have a special network for the management of their security devices (usually only large companies). In these scenarios, NM - CIDS command and control can be placed on a network that is not routable even by the router, in which he was placed. It's pretty rare, but it is possible to do.

• SPAN and TCP RST

  I know that a Cisco IDS allows to inject a TCP RST in a SPAN port in order to kill a connection.

  My question is: this technique works only when you switch ports SPANing, or will it also work when SPANing VLAN? I was told that is not possible. Suppose a 6000 series switch.

  Regards, Jeff

  Some switches allow you to send TCP reset via the Span port and some do not. TCP resets through the port Span are therefore very switch to load, and you can read your documentation of switches. (Not all Cisco switches has exactly the same).

  IF the switch allows TCP resets the Span port then the resets should work for port and Vlan Span sessions with a few warnings that you can read below.

  IF the switch does not TCP resets the Span port, then TCP resets do not work whatever the Span session type you have.

  In a Session of Span Port, the port being calibrated must be in the same vlan that is configured for the destination span for TCP port resets to recover the vlan good work.

  If you try to Port Span ports of different VLAN, then the sensor will alarm OK, but the TCP reset works only on attacks that are visible on the same vlan assigned to the destination span port.

  VLAN spans have the same limitations. If you cover a single virtual LAN vlan is attributed to the destination span port, then the TCP resets will get to the vlan right and should work.

  If extend you from several VLANs and then the TCP resets will only work on the same vlan assigned to the destination span port.

• IDS/IPS signatures for monitor audio/video streaming applications

  Hi people,
  Can someone Advisor on the names or signatures that could be used successfully to control the use of streaming on the network applications. The plan must feed to MARS and then create reports on streaming applications use to use it later for the creation of a security policy preventing the theft of bandwidth.

  Perhaps suggestions on how to create a custom signature to monitor the audio and video streams would be appreciated.

  Eugene

  Hello Eugene,

  It is possible to matching strings video specified in your capture by examining the Type of content. Run after the connection with a TCP reset or refuse the inline package will keep the video of the game - which will save bandwidth that the video would have used otherwise. However, it is important that we establish the role of the IPS appliance. The IPS is designed to detect and limit the attacks by matching known traffic patterns. For TCP, this obligation can also include some that drop a bag to disrupt a flow. The IPS is not fundamentally designed to monitor flow and provide a number of bytes for a particular protocol so that the use of protocols analysis can be performed.

  The signature below will drop packets with the flv-application Content-Type, which will keep the video that you have tested on break.com of play. Each video streaming site works differently. A screenshot of each video streaming site will have to be examined and another custom signature written, if you want to block all. Also, keep in mind that many sites offer different options for streaming videos. It may ask you to take multiple shots at each site - one for each method of streaming.

  signature-60001 0
  alert-severity average
  GIS-description
  Flv-application TCP SIG - name string
  output
  engine-tcp chain
  products-event-action alert | Reset tcp-connection
  Regex-string flv-application
  service port 80
  the service management
  output
  alert frequency
  Summary-fire-all mode
  output
  output
  status
  enabled true
  output
  output

  Thank you

  Blayne Dreier

  IDS Cisco TAC team

  * Please check our Podcast *.

  TAC security show: http://www.cisco.com/go/tacsecuritypodcast

• Questions about IDS 4.0 and 4.0 VEI

  I played with IDS/IDM/VEI 4.0 and so far, I am really impressed with the upgrade!

  A few questions/suggestions:

  (1) with IDM, to detect the signature configuration, is there a quick way to edit a particular number of signature? For example I mean tune signature 3041 - the only way I can find to do if I don't know the category is to collect all the signatures, then try to guess which page it's. I think that the previous version had a pop-up that listed the range of signatures on each page.

  (2) a Suggestion: in VEI, looking at a view, the first column is a group, and the second column contains the number of elements contained in this group. However, a double click on the first column does not give detail, only double clicking on column 2. It would be nice if the first column is also. (For example, for the severity level group, it would be nice to double-click on the word 'High' to see all the signatures of high status.)

  (3) is there a simple way to VEI or IDM to see connections have been blocked? It would be nice to have a summary paper when connections have been blocked and which IP addresses have been affected. It would also be groovy if it was shown in the VEI in the individual events (IE. Add a column 'Action' showing what decisions have been taken, as appropriate for each shot of signature)

  (4) is it possible to export the settings I changed default value? So far I've just kept a Notepad file that lists the signatures I've set in case I have to re - install. (And from the looks of it, upgrade to the latest signatures wiped out my block settings)

  (5) what is the difference between ShunHost & ShunConnection? The documentation does not really. And it is designed to work with IOS vs Pix fleeing?

  (6) the Docs for IDM imply that system variables can be used in the event filters, but when I try to apply the system IN variable for a filter, it won't let me so I have to type in logical addresses.

  That's all for now!

  I am pleased to hear that you like the new versions. My answers to some of these questions/comments I hope to improve your experience.

  (1) with IDM, to detect the signature configuration, is there a quick way to edit a particular number of signature? For example I mean tune signature 3041 - the only way I can find to do if I don't know the category is to collect all the signatures, then try to guess which page it's. I think that the previous version had a pop-up that listed the range of signatures on each page.

  ANSWER: not at the moment. We have heard this feature of multiple users request. A future version 4.0 is already planned to bring back the feature 3.1 (announcement of the signature by page range). Cannot comment on when this version will be released.

  An alternative until then would be to select the option to view all transmissions on the page (it will take a while to load), then use the search button in your browser to take you to the line for the signature.

  (2) a Suggestion: in VEI, looking at a view, the first column is a group, and the second column contains the number of elements contained in this group. However, a double click on the first column does not give detail, only double clicking on column 2. It would be nice if the first column is also. (For example, for the severity level group, it would be nice to double-click on the word 'High' to see all the signatures of high status.)

  ANSWER: I'll pass it on the developers.

  (3) is there a simple way to VEI or IDM to see connections have been blocked? It would be nice to have a summary paper when connections have been blocked and which IP addresses have been affected. It would also be groovy if it was shown in the VEI in the individual events (IE. Add a column 'Action' showing what decisions have been taken, as appropriate for each shot of signature)

  ANSWER: IDM manual locking tab will provide you with the current block list as allow you to add blocks or remove existing blocks.

  It's called 'Manual blocking' but it will also show you the current 'automatic blocking' (you may switch to another screen IDM, and then return to be refreshed with the latest red list)

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids9/idmiev/swchap5.htm#195940

  Also, you can run the line "view events" to show you what the blocks have been tried. If I remember correctly, the events to see the line you would be: "view the events of the NAC" where the time and date is the entrance earlier you want to display. (NOTE: NAC = Network Access Controller - replacement for managed in the new sensor V4.0).

  I recommend playing with the different possibilities to show events to see the different information that the sensor can bring in the new CLI.

  In addition, the attempted action is now included in the alarm itself and IEV should have a column IPLOG, SHUN and TCP Reset show what action was attempted. You check the settings, and then make sure that you have these selected columns is displayed in your view. (The actions attempts are visible when looking at individual alarms and not all summary windows)

  (4) is it possible to export the settings I changed default value? So far I've just kept a Notepad file that lists the signatures I've set in case I have to re - install. (And from the looks of it, upgrade to the latest signatures wiped out my block settings)

  CLI the commmands to check:

  more current-config - gives a style CLI listing the configuraiton, under the area of virtualSensor, it shows you just changes to the signatures rather than see the definition of default full signature.

  Copy current-config config backup - backups your current config in a storage space on the sensor itself

  Copy current-config - allows you to save your configuration to the location. The location could be an ftp server, or scp.

  Example:

  copy @10.1.1.1/config-backups/sensor1-config ftp://usercurrent config

  (5) what is the difference between ShunHost & ShunConnection? The documentation does not really. And it is designed to work with IOS vs Pix fleeing?

  Shun host creates the following ACL entry:

  refuse any ip

  SO it blocks all packets from the source.

  Shun connection on the otherhand creates the following ACL entry

  (NOTE: I am doing this out of memory so I'm not entirely because of my response below, you may need to test to know for sure):

  refuse eq

  SO it blocks only the packets from the source to the ip of the victim who go to the same port where the attack occurred.

  NOTE: Multiple connections to the same srcip Shun may cause the glines being combined into a single host Shun to prevent that IP to fill your ACL list.

  Regarding IOS vs PIX. The above commands are for IOS. Similar entries can be seen with the command "run away" from the Pix, but no matter what you enter with the command "run away" from the Pix, he will always shun the entire source ip address. So if you Shun connections with a Pix command "escape" has other information, but the Pix will always shun the sourceip together.

  (6) the Docs for IDM imply that system variables can be used in the event filters, but when I try to apply the system IN variable for a filter, it won't let me so I have to type in logical addresses.

  Looks like maybe it's a bug.

• Drop ID vs Reset

  I understand that drop a package prevents the connection broke in your network, and a TCP Reset resets the connection in both directions.

  Which is not functionally pretty much the same thing? Whatever it is, you end the connection, right?

  Since TCP Reset only works on TCP traffic, why even use it? Is not abandoning the connection good enough take care of this?

  A question to be considered is that of system resources.

  If the ear falls the connection (or packets), the connection is not able to continue.

  BUT the client and the server think that the connection is still ongoing and will return packets and conserve system resources open until a possible time-out occurs.

  With TCP Reset, another part of the client and the server knows the connection has been reset and may release the system resources and stop making resends.

  However, the TCP Reset by itself, does not guarantee that the connection will disappear.

  TCP Reset is a better estimate for the sequence of numbers for the connection to be reset. You are indeed to misuse of the connection, and diversion does not always work (especially in fast connections).

  If all you are worried for prevents an attack then drop packets works very well.

  But if you are worried about dropping the attacks but also to free up system resources (particularly a web server that can be constantly attacked in the case of worms) I would recommend that you use the action down and restore actions.

  SIDE NOTE:

  Version 4.1 of the ID software support TCP resets, but does not support the actions of moving.

  SPI version 5.0 (forthcoming) will support a new InLine feature that supports drop as actions (the so-called deny actions in IPS v5.0). So in 5.0, you can do the two rejections of an action and a tcp reset action on signatures which often fire. This way your servers won't be wasting resources on connections that have already been removed by the PPE.

• EasyVPN and TCP ports

  Hey people,

  You have another problem with EasyVPN that requires assistance.

  Or actually, not as a problem but more a wish.

  I saw that easyVPN is able to send the VPN on TCP traffic.

  You can also specify the port to use.

  vpnclient ipsec-over-tcp port 
  
      
  Now it would be really great if it would be possible to set up the tunnel over a standard port
  
      that is open on most firewalls: 443
  
      

  Unfortanetly when I do this:

  vpnclient ipsec-over-tcp port 443
  
  
      The tunnel is gone and wont set itself back up.
  
      
  Is it possible to do this, and send it over 443 or another standard port?
  
  The errors/messages in the EasyVPN server log:
  Built inbound TCP connection 625 for outside:10.1.0.2/1075 (10.1.0.2/1075) to identity:10.0.0.1/443 (10.0.0.1/443)
  
  Teardown TCP connection 625 for outside:10.1.0.2/1075 to identity:10.0.0.1/443 duration 0:00:08 bytes 0 TCP Reset-O
  
  
      Any ideas on this?
  
      

  Unfortunately can't use any of the well known ports, IE: anything below port 1024.

• Remove / reset / Shun

  Can someone explain the difference between 'Drop', "TCP Reset" and "Shunning" on a PIX?

  Thank you!

  The 'drop' does not refer to a fall of the connection, it simply means the PIX will drop the package that generated the alert and send it through. for TCP "reset" means associated alerts, which the PIX will send a TCP RST effectively at both ends of the connection, killing any TCP connection that has been established.

  Fleeing can be set up on an external sensor for certain signatures. When traffic is detected by an alert that has been configured to be avoided, the sensor to send the telnet/ssh for the PIX and applies the command "run" on the source address of the package (s) that generated the alert. The shun command simply means the PIX pass of any package of this address, it is not applied to an interface specially, but for the PIX as together for any interface package comes on, it will be deleted.

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026366 for more details.