Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
2
Replies

What to expect with the "log pair" actions

Go to solution
mhellman
Level 7
Level 7

‎06-14-2006 05:46 AM - edited ‎03-10-2019 03:03 AM

I've never quite understood what I should expect to find in the pcap file for the "log pair packets" action. Take the following example:

SigId: 6256-0 (HTTP Auth fail)

Engine: Atomic IP

TCP Mask: Ack,Fin,Rst,Syn

TCP Flags: Ack

Source Port Range: 80-80

Regex: [Hh][Tt][Tt][Pp][/][1][.][01][ \t][4][0][1]

Event Count: 25 <-not default

Event Count Key: Attacker and Victim Addresses

Alert Interval: 2 <-not default

What I would expect/hope to see is at least all 25 "atomic" packets which triggered the alarm. This doesn't seem to be the case however.

A string search through the pcap file (ethereal) for '401' finds only 5 hits...and all but one are separated by 5 or more seconds.

The very first packet in the pcap file matches the signature (i.e. it is a 401). Is the first packet in the pcap file the last packet that triggered the alarm?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-14-2006 10:50 PM

In short, yes. Keep in mind logging is only started after the alert has fired, which in your case above would be AFTER we see the 25th packet in a 2sec period. Actually we will capture that 25th one as that is the TriggerPacket as you mentioned, plus whatever else occurs after that TriggerPacket, but we don't capture/log all 25 packets, simply because for the 1st to 24th packet the alert has not fired.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-14-2006 10:50 PM

In short, yes. Keep in mind logging is only started after the alert has fired, which in your case above would be AFTER we see the 25th packet in a 2sec period. Actually we will capture that 25th one as that is the TriggerPacket as you mentioned, plus whatever else occurs after that TriggerPacket, but we don't capture/log all 25 packets, simply because for the 1st to 24th packet the alert has not fired.

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to gfullage

‎06-15-2006 06:51 AM

that sucks...but does make sense. I imagine it's not practical to start logging whenever the counter starts. It is really difficult to believe that in the 2 seconds prior to the capture there were 25 "401" responses....and only 1 every 5 seconds or so after.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card