Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Filtering an IP's traffic

Hey, for a while I'd see packets from an IP and assume it was http. But I found some IP's that give us traffic but they are not making any logs in my access.log (so probably not http). What way can I filter my logs or using CLI diagnoze what ports this IP is using? Or trying to us?

Tia

Chuck

6 REPLIES
Gold

Re: Filtering an IP's traffic

Chuck -

Were you getting hits on an http signature? If you want more information about the traffic round a signature hit to perform a good analysis, enable logging of victim and attacker traffic. If you just want to see what port is involved in the packet that caused thsi signature to fire, enable "produce verbose alert", thiswill give you a partial packet capture in the alert message.

You can watch your traffic via the CLI too, check out the "packet display" and "iplog" commands.

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliIPLog.html

New Member

Re: Filtering an IP's traffic

Reading your url now. Nice and juicy.

Re: Filtering an IP's traffic

Can you please spell out your requirement clearly?

Regards

Farrukh

New Member

Re: Filtering an IP's traffic

I will look into the 2nd response, but to make it clear I have an Ip that showed that is sent a bunch of packets. This put that Ip into the top 10 list. Typically I have been able to justify this by checking out the access log and find a bunch of http requests (just urls to our website). But I have found a couple Ip's that produced a bunch of source packets but have not shown in my access.log (to justify any http port traffic). So my question is how can I discover what traffic (or what ports) these packets were targeted by the Ip in question?

Re: Filtering an IP's traffic

The best option would be to enable IP logging for that particular IP. lets say for one hour. And then analyze that traffic using a .cap file browser like WireShark.

Regards

Farrukh

Gold

Re: Filtering an IP's traffic

netperception -

You are now on the road to performing analysis on your IDS/IPS events. With some investigation, you can determine if a signature or attacker is a true of false positive. Turning down the severity, disabling poor performing (too many false positives) signatures, or creating filters to stop signatures from firing on specific attackers (when justified thru analysis of course) will reduce your alert count and allow you to focus on actionable events that you can do somthing about.

142
Views
0
Helpful
6
Replies