08-12-2008 05:46 AM - edited 03-10-2019 04:14 AM
Hey, for a while I'd see packets from an IP and assume it was http. But I found some IP's that give us traffic but they are not making any logs in my access.log (so probably not http). What way can I filter my logs or using CLI diagnoze what ports this IP is using? Or trying to us?
Tia
Chuck
08-12-2008 07:37 AM
Chuck -
Were you getting hits on an http signature? If you want more information about the traffic round a signature hit to perform a good analysis, enable logging of victim and attacker traffic. If you just want to see what port is involved in the packet that caused thsi signature to fire, enable "produce verbose alert", thiswill give you a partial packet capture in the alert message.
You can watch your traffic via the CLI too, check out the "packet display" and "iplog" commands.
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliIPLog.html
08-22-2008 07:20 AM
Reading your url now. Nice and juicy.
08-12-2008 11:24 AM
Can you please spell out your requirement clearly?
Regards
Farrukh
08-12-2008 11:47 AM
I will look into the 2nd response, but to make it clear I have an Ip that showed that is sent a bunch of packets. This put that Ip into the top 10 list. Typically I have been able to justify this by checking out the access log and find a bunch of http requests (just urls to our website). But I have found a couple Ip's that produced a bunch of source packets but have not shown in my access.log (to justify any http port traffic). So my question is how can I discover what traffic (or what ports) these packets were targeted by the Ip in question?
08-12-2008 12:01 PM
The best option would be to enable IP logging for that particular IP. lets say for one hour. And then analyze that traffic using a .cap file browser like WireShark.
Regards
Farrukh
08-13-2008 07:57 AM
netperception -
You are now on the road to performing analysis on your IDS/IPS events. With some investigation, you can determine if a signature or attacker is a true of false positive. Turning down the severity, disabling poor performing (too many false positives) signatures, or creating filters to stop signatures from firing on specific attackers (when justified thru analysis of course) will reduce your alert count and allow you to focus on actionable events that you can do somthing about.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide