11-10-2005 03:09 PM - edited 03-10-2019 01:44 AM
What is the best way to capture packets as well as display them for signatures.
I need to see the packets that cuase the ICMP hard DoS sig 2157 to fire. From the Cisco IDS Install and Configuration guide version 4.x it talks about enabling packet capture to true as well as Event action, but no clear instructions on which to use or if both need to be configured.
11-16-2005 12:43 PM
If you want to capture the packets that caused the signature to fire, then you must enable the "log" option as the EventAction in the signature. When the IDS detects an attack based on this signature, it creates an IP log.
There is also an "IP logging" feature in the IDS that is used to capture the packets for a duration of time. This capture is time or size (bytes) based and is not based on signature.
11-16-2005 03:29 PM
Thank you for the reply. I had opened a case with Cisco and they gave me the same information as well as additional info on packet capture, i.e. how to copy and read the files.
12-21-2005 11:46 AM
Could you, please, share the additional info with us?
Thanks,
01-03-2006 07:03 PM
You should be able to scp from a linux/unix box to get the files off the IDS. Would require scp'ing with the service account and knowing the directory where the files are stored. Not sure if that is a supported feature or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide