Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 Infiltration of DNS query

Is TCPDUMP operation, simular to Sindwinder FW (example below), possible using the ASA 5520 and AIP-SSM-10 (IPS) module? Reference and response to my question are appreciated.

•tcpdump options for DNS

-Internal burb: tcpdump -ntpi em0 port 53

-External burb: tcpdump -ntpi em1 port 53

tcpdump options for SMTP:

Internal burb: tcpdump -ntpi em0 port 25

External burb: tcpdump -ntpi em1 port 25

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: ASA 5520 Infiltration of DNS query

You can use the iplog command to capture a PCAP file on the AIP-SSM module (assuming you've sent the traffic you with to cpature to or through the AIP-SSM IPS module). It will capture based on the source IP address.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, log into the Linux system, su to root and tcpdump away.

2 REPLIES
Gold

Re: ASA 5520 Infiltration of DNS query

You can use the iplog command to capture a PCAP file on the AIP-SSM module (assuming you've sent the traffic you with to cpature to or through the AIP-SSM IPS module). It will capture based on the source IP address.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, log into the Linux system, su to root and tcpdump away.

New Member

Re: ASA 5520 Infiltration of DNS query

Thanks, Rhermes; your reference is appreciated. IPLog; need to try this command.

240
Views
0
Helpful
2
Replies