ASA 5520 Infiltration of DNS query

Answered Question
Jul 16th, 2009

Is TCPDUMP operation, simular to Sindwinder FW (example below), possible using the ASA 5520 and AIP-SSM-10 (IPS) module? Reference and response to my question are appreciated.

•tcpdump options for DNS

-Internal burb: tcpdump -ntpi em0 port 53

-External burb: tcpdump -ntpi em1 port 53

tcpdump options for SMTP:

Internal burb: tcpdump -ntpi em0 port 25

External burb: tcpdump -ntpi em1 port 25

I have this problem too.
0 votes
Correct Answer by rhermes about 7 years 4 months ago

You can use the iplog command to capture a PCAP file on the AIP-SSM module (assuming you've sent the traffic you with to cpature to or through the AIP-SSM IPS module). It will capture based on the source IP address.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, log into the Linux system, su to root and tcpdump away.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
rhermes Fri, 07/17/2009 - 08:46

You can use the iplog command to capture a PCAP file on the AIP-SSM module (assuming you've sent the traffic you with to cpature to or through the AIP-SSM IPS module). It will capture based on the source IP address.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, log into the Linux system, su to root and tcpdump away.

tsha515151 Fri, 07/17/2009 - 10:19

Thanks, Rhermes; your reference is appreciated. IPLog; need to try this command.

Actions

This Discussion