ASA 5520 Infiltration of DNS query

Answered Question
Jul 16th, 2009
User Badges:

Is TCPDUMP operation, simular to Sindwinder FW (example below), possible using the ASA 5520 and AIP-SSM-10 (IPS) module? Reference and response to my question are appreciated.


•tcpdump options for DNS

-Internal burb: tcpdump -ntpi em0 port 53

-External burb: tcpdump -ntpi em1 port 53


tcpdump options for SMTP:

Internal burb: tcpdump -ntpi em0 port 25

External burb: tcpdump -ntpi em1 port 25


Correct Answer by rhermes about 7 years 8 months ago

You can use the iplog command to capture a PCAP file on the AIP-SSM module (assuming you've sent the traffic you with to cpature to or through the AIP-SSM IPS module). It will capture based on the source IP address.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, log into the Linux system, su to root and tcpdump away.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
rhermes Fri, 07/17/2009 - 08:46
User Badges:
  • Gold, 750 points or more

You can use the iplog command to capture a PCAP file on the AIP-SSM module (assuming you've sent the traffic you with to cpature to or through the AIP-SSM IPS module). It will capture based on the source IP address.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, log into the Linux system, su to root and tcpdump away.



tsha515151 Fri, 07/17/2009 - 10:19
User Badges:

Thanks, Rhermes; your reference is appreciated. IPLog; need to try this command.

Actions

This Discussion