Packet Decodes in Alerts

Answered Question
Jan 21st, 2010

Hello,

Is it possible to turn on and dictate the length of packet decodes on the sensor?

For example I do not get a decode for invalid netbios name(3357), but do for Windows Image color Management (6984).

exmaple:

  context:  
    fromAttacker:
000000  0E 30 00 00 00 00 00 00  02 00 00 00 01 00 01 00  .0..............
000010  00 00 00 00 00 00 20 07  67 40 63 00 65 30 6E 00  ...... .[email protected]
000020  74 00 6C 00 79 00 20 00  75 00 01 00 00 04 00 00  t.l.y. .u.......
000030  00 00 20 07 4B C8 00 30  0F 30 00 00 00 00 00 00  .. .K..0.0......
000040  02 00 00 00 0B 00 01 00  00 00 00 00 00 00 20 07  .............. .
000050  4B C8 00 30 0F 30 00 00  00 00 00 00 02 00 00 00  K..0.0..........
000060  0B 00 01 00 00 00 00 00  00 00 20 07 4B C8 00 30  .......... .K..0
000070  0F 30 00 00 00 00 00 00  02 00 00 00 0B 00 01 00  .0..............
000080  00 00 00 00 00 00 20 07  4B C8 00 30 0F 30 00 00  ...... .K..0.0..
000090  00 00 00 00 02 00 00 00  0B 00 01 00 00 04 00 00  ................
0000A0  00 00 20 07 4B C8 00 30  08 30 00 00 00 00 00 00  .. .K..0.0......
0000B0  02 00 00 00 01 00 01 00  00 00 00 00 00 00 20 07  .............. .
0000C0  4B C8 00 30 0F 30 00 00  00 00 00 00 02 00 00 00  K..0.0..........
0000D0  0B 00 01 00 00 00 00 00  00 00 20 07 4B C8 00 30  .......... .K..0
0000E0  0F 30 00 00 00 00 00 00  02 00 00 00 0B 00 01 00  .0..............
0000F0  00 00 00 00 00 00 20 07  6F 40 64 00 65 30 3A 00  ...... .[email protected]:

    fromTarget:
000000  73 65 3F 73 65 73 73 69  6F 6E 69 64 3D 43 46 30  se?sessionid=CF0
000010  32 42 30 31 39 41 49 44  5F 30 30 30 30 30 35 33  2B019AID_0000053
000020  32 38 30 30 35 30 30 30  30 30 30 30 30 26 63 61  2800500000000&ca
000030  73 65 69 64 3D 35 30 34  39 38 34 26 63 61 73 65  seid=504984&case
000040  74 72 61 6E 73 66 65 72  66 6C 61 67 3D 59 0D 0A  transferflag=Y..
000050  41 63 63 65 70 74 2D 4C  61 6E 67 75 61 67 65 3A  Accept-Language:
000060  20 65 6E 2D 67 62 0D 0A  41 63 63 65 70 74 2D 45   en-gb..Accept-E
000070  6E 63 6F 64 69 6E 67 3A  20 67 7A 69 70 2C 20 64  ncoding: gzip, d
000080  65 66 6C 61 74 65 0D 0A  55 73 65 72 2D 41 67 65  eflate..User-Age
000090  6E 74 3A 20 4D 6F 7A 69  6C 6C 61 2F 34 2E 30 20  nt: Mozilla/4.0
0000A0  28 63 6F 6D 70 61 74 69  62 6C 65 3B 20 4D 53 49  (compatible; MSI
0000B0  45 20 36 2E 30 3B 20 57  69 6E 64 6F 77 73 20 4E  E 6.0; Windows N
0000C0  54 20 35 2E 31 3B 20 53  56 31 3B 20 47 54 42 36  T 5.1; SV1; GTB6
0000D0  29 0D 0A 48 6F 73 74 3A  20 31 30 2E 32 33 32 2E  )..Host: 10.232.
0000E0  31 36 2E 37 0D 0A 43 6F  6E 6E 65 63 74 69 6F 6E  16.7..Connection
0000F0  3A 20 4B 65 65 70 2D 41  6C 69 76 65 0D 0A 0D 0A  : Keep-Alive....

Some alerts also warrant a larger capture for example web attacks to correctly false positive the traffic.

Any help would be gratfeully received.

BTW can I view IPS events from the CLI on the unit?

Thanks

Mark

I have this problem too.
0 votes
Correct Answer by rhermes about 6 years 10 months ago

There are two types of packet captures on the IPS Sensors. The one you may be looking at

is included in the alert. This is set by selecting the "produce-verbose-alert" option on the associated signature. There are no further options for this method of packet capture.

The second way of performing packet captures are is the "log-attacter-packets" and "log-victim-packets" (select these as a pair). They will create a PCAP file on the sensor with X number of packets captured. X is settable on a global basis for all signature captures (not on a sig by sig basis).

You can see alerts no the CLI with these commands:

show events alert past 01:00 (to see alerts for the past hour + current alerts as they roll in)

- Bob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
rhermes Thu, 01/21/2010 - 09:07

There are two types of packet captures on the IPS Sensors. The one you may be looking at

is included in the alert. This is set by selecting the "produce-verbose-alert" option on the associated signature. There are no further options for this method of packet capture.

The second way of performing packet captures are is the "log-attacter-packets" and "log-victim-packets" (select these as a pair). They will create a PCAP file on the sensor with X number of packets captured. X is settable on a global basis for all signature captures (not on a sig by sig basis).

You can see alerts no the CLI with these commands:

show events alert past 01:00 (to see alerts for the past hour + current alerts as they roll in)

- Bob

markidotw Mon, 01/25/2010 - 02:12

Hi Bob,

Thank you for your reply.

It's really helped.

Thanks

Mark

Actions

This Discussion