IDS mailing list archives
RE: CISCO IDS Packet capture
From: "Chad R. Skipper" <cskipper () cisco com>
Date: Tue, 6 Apr 2004 15:11:16 -0500
3 options available: IP Logging - The sensor will capture the binary packets for a given address and store them in an IP Log file that can be downloaded and viewed by the user. The IP Logging capability can be triggered manually by specifying a particular IP address, or automatically when a signature triggers. Trigger Packet - The sensor can attach the trigger packet directly to the alarm. IEV can then be used to view the contents of the trigger packet (IEV passes the packet to ethereal for viewing). Tcpdump - Tcpdump has been loaded on the sensors. You will have to create a service account on the sensor to get access to the underlying Linux OS. Once logged into the service account then you can switch to user root (same password as the service account). You can run ifconfig -a to see which interface you want to sniff on. There is currently an issue with the sensor that the sensor can not monitor the same interface that tcpdump monitors. They use different methods to open the interface that are not compatible with the current driver. This will be corrected in the next sensor version. Until then you will need to shutdown the interface from the CLI, before attempting to run tcpdump on it. Once the interface has been shutdown then you will need to bring it up using ifconfig before running tcpdump on the interface. When you are done running tcpdump you will need to reboot the sensor to re-initialize the drivers, and then through the CLI you would need to do a "no shutdown" on the interface to get the sensor to start monitoring on it again. This is being corrected in the next sensor version, and the user will be able to run tcpdump on the same interface that is being monitored. --------------------------- Some doc links for IP Logging and Trigger Packet: Manual creation of IP Logs: IDM: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s wchap5.htm#987052 CLI: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/1 5599ch2.htm#378251 SecMon (VMS): Not currently supported. Use IDM or CLI. --------------------------- Automatic creation of IP Logs for a specific signature: IDM: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s wchap3.htm#526 (step 4 of tuning built-in signatures you would select log for the EventAction) CLI: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/1 5599ch2.htm#5853 (you would select the engine for that signature, then select that signature, then set EventAction to log) IDS MC (VMS): http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc 12/ug/ch05.htm#893699 (set the Action or EventACtion to Log or IP Log - depending on software version) --------------------------- Downloading of IP Logs: IDM: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s wchap4.htm#860259 CLI: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/1 5599ch2.htm#377910 (you have to copy the iplog to your own ftp or scp server) SecMon (VMS) Not currently supported. Use IDM or CLI. ----------------------------- Viewing of IP Logs: To view the IP Log download the IP Log and then open them using any packet viewer that understands libpcap formatted capture files (tcpdump, or ethereal are most commonly used). ------------------------------ Configure Automatic attachment of trigger packet to alarm for a specific signature: IDM: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s wchap3.htm#526 (step 4 of tuning built-in signatures you would select true for CapturePacket option) CLI: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/1 5599ch2.htm#5853 (you would select the engine for that signature, then select that signature, then set CapturePacket to true) IDS MC: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc 12/ug/ch05.htm#893699 (set CapturePacket to true - depending on software version) ------------------------------ View trigger packet attached to alarm: IEV: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s wchap6.htm#1789 SecMon (VMS): Not currently supported. Use IEV. Chad R. Skipper Software Engineer Cisco Systems -----Original Message----- From: Strand, John [mailto:John.Strand () mms gov] Sent: Friday, April 02, 2004 7:36 AM To: focus-ids () securityfocus com Subject: CISCO IDS Packet capture Hello All, Does anyone know how to enable some level of packet capture and logging on the CISCO IDS system (the newer version which interfaces with CiscoWorks and can run on Win2K)? I have hunted through the CISCO provided PDF's and their a little on the light side. I also have hit the usual suspects, google, CISCO groups, etc.. Thanks in advance for any help. js --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- CISCO IDS Packet capture Strand, John (Apr 06)
- RE: CISCO IDS Packet capture Alex Arndt (Apr 08)
- RE: CISCO IDS Packet capture Chad R. Skipper (Apr 08)
- Re: CISCO IDS Packet capture James Fields (Apr 08)
- <Possible follow-ups>
- RE: CISCO IDS Packet capture Matt Vaughan (Apr 08)
- RE: CISCO IDS Packet capture Strand, John (Apr 08)
- RE: CISCO IDS Packet capture Billy Dodson (Apr 08)
- RE: Snoop on Cisco IDS (Was: CISCO IDS Packet capture) Alex Arndt (Apr 12)
- Re: Snoop on Cisco IDS (Was: CISCO IDS Packet capture) Jason Haar (Apr 15)
- RE: Snoop on Cisco IDS (Was: CISCO IDS Packet capture) Alex Arndt (Apr 12)
- RE: CISCO IDS Packet capture Terence Runge (Apr 08)