Hey, for a while I'd see packets from an IP and assume it was http. But I found some IP's that give us traffic but they are not making any logs in my access.log (so probably not http). What way can I filter my logs or using CLI diagnoze what ports this IP is using? Or trying to us?
Were you getting hits on an http signature? If you want more information about the traffic round a signature hit to perform a good analysis, enable logging of victim and attacker traffic. If you just want to see what port is involved in the packet that caused thsi signature to fire, enable "produce verbose alert", thiswill give you a partial packet capture in the alert message.
You can watch your traffic via the CLI too, check out the "packet display" and "iplog" commands.
I will look into the 2nd response, but to make it clear I have an Ip that showed that is sent a bunch of packets. This put that Ip into the top 10 list. Typically I have been able to justify this by checking out the access log and find a bunch of http requests (just urls to our website). But I have found a couple Ip's that produced a bunch of source packets but have not shown in my access.log (to justify any http port traffic). So my question is how can I discover what traffic (or what ports) these packets were targeted by the Ip in question?
You are now on the road to performing analysis on your IDS/IPS events. With some investigation, you can determine if a signature or attacker is a true of false positive. Turning down the severity, disabling poor performing (too many false positives) signatures, or creating filters to stop signatures from firing on specific attackers (when justified thru analysis of course) will reduce your alert count and allow you to focus on actionable events that you can do somthing about.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...