Solved: ASA 5520 Infiltration of DNS query

tsha515151 · ‎07-16-2009

Is TCPDUMP operation, simular to Sindwinder FW (example below), possible using the ASA 5520 and AIP-SSM-10 (IPS) module? Reference and response to my question are appreciated.

â€¢tcpdump options for DNS

-Internal burb: tcpdump -ntpi em0 port 53

-External burb: tcpdump -ntpi em1 port 53

tcpdump options for SMTP:

Internal burb: tcpdump -ntpi em0 port 25

External burb: tcpdump -ntpi em1 port 25

rhermes · ‎07-17-2009

You can use the iplog command to capture a PCAP file on the AIP-SSM module (assuming you've sent the traffic you with to cpature to or through the AIP-SSM IPS module). It will capture based on the source IP address.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, log into the Linux system, su to root and tcpdump away.

View solution in original post

rhermes · ‎07-17-2009

You can use the iplog command to capture a PCAP file on the AIP-SSM module (assuming you've sent the traffic you with to cpature to or through the AIP-SSM IPS module). It will capture based on the source IP address.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, log into the Linux system, su to root and tcpdump away.

tsha515151 · ‎07-17-2009

Thanks, Rhermes; your reference is appreciated. IPLog; need to try this command.