Re: IdsImportArchivedData

darin.marais · ‎05-02-2006

With vms 2.3, you can use a cli command to import archived data. Each time data is archived, it is writen to a sub directory “~\CSCOpx\MDC\secmon\AlertPruneData\” it begins a new directory with the date and time (date_time) of the archival.

Say for instance you would like to pull some NIDS events back into the database from the period of one day i.e. the events have been archived for xx April 200x and you need to investigate them.

How do you locate which file contains the data you are looking for, short of opening each one to check the date and time of the events in that directory?

a.giorgi · ‎05-03-2006

Hi darin:

I'm not sure if my recomendation will help you.

I don't know how the vms 2.3 work, but you have a couple of alternatives to capture packets to analize later.

One of this is to config an action "log attacker packets" for a signature.

This action capture a number of packets that you can save form monitoring -> ip logging -> download buton.

The file has a *.cap extention and you can view the captured packet with ethereal.

Another possibility is from the CLI using the command

sensorP#packet capture FastEthernet0/1 expression host 10.0.1.12

This capture packets from 10.0.1.12 until you make a ctrl-c

You can view the results with command packet display packet-file or you can export the captured packets with command copy packet-file ftp:

Save the file with a .cap extention and analize them with ethereal.

I hope this help you.

Alberto Giorgi from spain (a new kid in this block)

darin.marais · ‎05-03-2006

Hi alberto,

Thanks for your reply however it does not really help me as the log files that you are referring to are not the same log files I am referring to. I am interested in a method to restore partial alert logs and you have described a method for capturing iplogs.

Thanks for trying to help in any event.