Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dissecting IPS logs (triggered packets)

How do i dissect the signature triggered packet captured from an IDS/IPS

eg:000010 08 00 45 00 02 0D C1 1D 00 00 80 06 79 92 AC 1C ..E.........y...

000020 04 0C 0A 05 44 0E B6 8F 00 19 1E 38 04 FE 6E 1F ....D......8..n.

000030 BC 0A 50 18 3E D6 B9 7E 00 00 31 20 31 38 36 39 ..P.>..~..1 1869

3 REPLIES
Silver

Re: Dissecting IPS logs (triggered packets)

The IP Logs page displays all IP logs that are available for downloading on the system. IP logs are generated in two ways:

When you turn on IP logging from Administration > IP Logging

See Configuring IP Logging, for the procedure.

When you select log as the EventAction for a signature.

When the sensor detects an attack based on this signature, it creates an IP log. See Configuring Signatures Through Virtual Sensor Signature Configuration Mode, for more information

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/module_installation_and_configuration_guides_chapter09186a00801a0c2a.html

New Member

Re: Dissecting IPS logs (triggered packets)

Ethereal is a great tool to break it down, but it basically comes to learning TCP/IP really well. Pickup TCP/IP Illustrated Vol 1 by stevens and read it from start to finish, multiple times =)

45 00 02 0D C1 1D 00 00 80 06 79 92 AC 1C 04 0C 0A 05 44 0E

Is the IP header portion of the packet. You can tell its an ipv4 packet, and 20 bytes long. Also this is a tcp packet.

AC 1C 04 0C is the source IP 172.28.4.12

0A 05 44 0E is the destination 10.5.68.14

The tcp header follows with:

B6 8F 00 19 1E 38 04 FE 6E 1F BC 0A 50 18 3E D6 B9 7E 00 00 31 20 31 38 36 39

B6 8F is source port 46735

00 19 is dest port 25

1E 38 04 FE seq #

6E 1F BC 0A ack #

then its followed by your offset, flags, checksum etc...

hope that helps.

New Member

Re: Dissecting IPS logs (triggered packets)

SANS produces a great TCP/IP reference card. Download, print, and keep handy. It'll help you dissect the packet's various contents.

http://sans.org/resources/tcpip.pdf

If the card makes no sense to you, and you want a quick fix, I would suggest downloading Ethereal. Take the text trigger packet, and convert it to a pcap file using text2pcap.exe. Its included with Ethereal. Then load the file in Ethereal and it will break down the packet into its various elements for you.

http://www.ethereal.com/

208
Views
5
Helpful
3
Replies