Filtering an IP's traffic

Unanswered Question
Aug 12th, 2008
User Badges:

Hey, for a while I'd see packets from an IP and assume it was http. But I found some IP's that give us traffic but they are not making any logs in my access.log (so probably not http). What way can I filter my logs or using CLI diagnoze what ports this IP is using? Or trying to us?


Tia

Chuck

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Tue, 08/12/2008 - 07:37
User Badges:
  • Gold, 750 points or more

Chuck -


Were you getting hits on an http signature? If you want more information about the traffic round a signature hit to perform a good analysis, enable logging of victim and attacker traffic. If you just want to see what port is involved in the packet that caused thsi signature to fire, enable "produce verbose alert", thiswill give you a partial packet capture in the alert message.

You can watch your traffic via the CLI too, check out the "packet display" and "iplog" commands.

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliIPLog.html

Farrukh Haroon Tue, 08/12/2008 - 11:24
User Badges:
  • Red, 2250 points or more

Can you please spell out your requirement clearly?


Regards


Farrukh

netperception Tue, 08/12/2008 - 11:47
User Badges:

I will look into the 2nd response, but to make it clear I have an Ip that showed that is sent a bunch of packets. This put that Ip into the top 10 list. Typically I have been able to justify this by checking out the access log and find a bunch of http requests (just urls to our website). But I have found a couple Ip's that produced a bunch of source packets but have not shown in my access.log (to justify any http port traffic). So my question is how can I discover what traffic (or what ports) these packets were targeted by the Ip in question?

Farrukh Haroon Tue, 08/12/2008 - 12:01
User Badges:
  • Red, 2250 points or more

The best option would be to enable IP logging for that particular IP. lets say for one hour. And then analyze that traffic using a .cap file browser like WireShark.


Regards


Farrukh

rhermes Wed, 08/13/2008 - 07:57
User Badges:
  • Gold, 750 points or more

netperception -


You are now on the road to performing analysis on your IDS/IPS events. With some investigation, you can determine if a signature or attacker is a true of false positive. Turning down the severity, disabling poor performing (too many false positives) signatures, or creating filters to stop signatures from firing on specific attackers (when justified thru analysis of course) will reduce your alert count and allow you to focus on actionable events that you can do somthing about.

Actions

This Discussion