Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Gold

What to expect with the "log pair" actions

I've never quite understood what I should expect to find in the pcap file for the "log pair packets" action. Take the following example:

SigId: 6256-0 (HTTP Auth fail)

Engine: Atomic IP

TCP Mask: Ack,Fin,Rst,Syn

TCP Flags: Ack

Source Port Range: 80-80

Regex: [Hh][Tt][Tt][Pp][/][1][.][01][ \t][4][0][1]

Event Count: 25 <-not default

Event Count Key: Attacker and Victim Addresses

Alert Interval: 2 <-not default

What I would expect/hope to see is at least all 25 "atomic" packets which triggered the alarm. This doesn't seem to be the case however.

A string search through the pcap file (ethereal) for '401' finds only 5 hits...and all but one are separated by 5 or more seconds.

The very first packet in the pcap file matches the signature (i.e. it is a 401). Is the first packet in the pcap file the last packet that triggered the alarm?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: What to expect with the "log pair" actions

In short, yes. Keep in mind logging is only started after the alert has fired, which in your case above would be AFTER we see the 25th packet in a 2sec period. Actually we will capture that 25th one as that is the TriggerPacket as you mentioned, plus whatever else occurs after that TriggerPacket, but we don't capture/log all 25 packets, simply because for the 1st to 24th packet the alert has not fired.

2 REPLIES
Cisco Employee

Re: What to expect with the "log pair" actions

In short, yes. Keep in mind logging is only started after the alert has fired, which in your case above would be AFTER we see the 25th packet in a 2sec period. Actually we will capture that 25th one as that is the TriggerPacket as you mentioned, plus whatever else occurs after that TriggerPacket, but we don't capture/log all 25 packets, simply because for the 1st to 24th packet the alert has not fired.

Gold

Re: What to expect with the "log pair" actions

that sucks...but does make sense. I imagine it's not practical to start logging whenever the counter starts. It is really difficult to believe that in the 2 seconds prior to the capture there were 25 "401" responses....and only 1 every 5 seconds or so after.

151
Views
0
Helpful
2
Replies
CreatePlease to create content