Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
6
Replies

Filtering an IP's traffic

netperception
Level 1
Level 1

‎08-12-2008 05:46 AM - edited ‎03-10-2019 04:14 AM

Hey, for a while I'd see packets from an IP and assume it was http. But I found some IP's that give us traffic but they are not making any logs in my access.log (so probably not http). What way can I filter my logs or using CLI diagnoze what ports this IP is using? Or trying to us?

Tia

Chuck

Labels:
0 Helpful
6 Replies 6

rhermes
Level 7
Level 7

‎08-12-2008 07:37 AM

Chuck -

Were you getting hits on an http signature? If you want more information about the traffic round a signature hit to perform a good analysis, enable logging of victim and attacker traffic. If you just want to see what port is involved in the packet that caused thsi signature to fire, enable "produce verbose alert", thiswill give you a partial packet capture in the alert message.

You can watch your traffic via the CLI too, check out the "packet display" and "iplog" commands.

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliIPLog.html

0 Helpful

netperception
Level 1
Level 1
In response to rhermes

‎08-22-2008 07:20 AM

Reading your url now. Nice and juicy.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-12-2008 11:24 AM

Can you please spell out your requirement clearly?

Regards

Farrukh

0 Helpful

netperception
Level 1
Level 1
In response to Farrukh Haroon

‎08-12-2008 11:47 AM

I will look into the 2nd response, but to make it clear I have an Ip that showed that is sent a bunch of packets. This put that Ip into the top 10 list. Typically I have been able to justify this by checking out the access log and find a bunch of http requests (just urls to our website). But I have found a couple Ip's that produced a bunch of source packets but have not shown in my access.log (to justify any http port traffic). So my question is how can I discover what traffic (or what ports) these packets were targeted by the Ip in question?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to netperception

‎08-12-2008 12:01 PM

The best option would be to enable IP logging for that particular IP. lets say for one hour. And then analyze that traffic using a .cap file browser like WireShark.

Regards

Farrukh

0 Helpful

rhermes
Level 7
Level 7
In response to netperception

‎08-13-2008 07:57 AM

netperception -

You are now on the road to performing analysis on your IDS/IPS events. With some investigation, you can determine if a signature or attacker is a true of false positive. Turning down the severity, disabling poor performing (too many false positives) signatures, or creating filters to stop signatures from firing on specific attackers (when justified thru analysis of course) will reduce your alert count and allow you to focus on actionable events that you can do somthing about.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card