Cisco Support Community
Community Member

iplog question

i have my whole external ip range specified to be monitored. this includes a PAT address of the firewall, where all the internal users internet access comes out of. i would like to watch for attacks originating from my ip range, that is why I left the PAT address in the range to be monitored. but under /usr/nr/var/iplog/new i am getting tons of iplogs for this PAT address. my question is: does an iplog get generated for every connection initiated ?? or is one just suppose to get generated on an connection that is detected as an attack ?? I have set filtering to filter out all connections from any internal IP to any extenal IP for LOW and MEDIUM signatures. This way Event Viewer still shows the HIGH attacks coming out of the PAT address.

Cisco Employee

Re: iplog question

When you say:

"i have my whole external ip range specified to be monitored."

Do you mean that you have theses addresses designated as your Protected Networks

(Designated with the RecordOfInternalAddress token in packetd.conf).

Or do you mean that you have these addresses designated as addresses for IP Logging?

(Designated with the RecordOfLogAddress token in packetd.conf)

If you mean the second then a packet log file will be generated for all packets to and from each address in your network. So in effect you would be capturing all packets going out and coming into your network. I do not recommend this since the sensor is not designed to log that many packets.

If you are referring to the first, then realize that the Protected Networks (RecordOfInternalAddress token) has no affect on IP Logging.

(Other than having the keyword IN used for a RecordOfExcludedPattern token to keep an alarm from firing)

The way Automatic IP Logging for a specific signature works:

The user sets the action for the signature to IPLOG (or an action combination with IPLOG).

When the signature is about to fire it will check against any exclusions to determine whether or not the signature should create an alarm for the addresses of the connection.

If no alarm is generated then no IPLOG should be created.

IF the alarm is generated (even if only gets logged in the sensor's alarm log file, and isn't sent to CSPM), then

an IPLOG will be created for ALL packets to and from the Source Address of the alarm.

It doesn't capture just the packets from the specific connection, or even just between the two addresses, but instead captures ALL packets to and from the source address of the alarm.

The capturing continues for as long as the MinutesOfAutoLog token in packetd.conf has been configured.

So if you set a signature to IPLOG action, and it fired with the PAT address as the source address, then ALL packets with the PAT address as the source ip and all packets with the PAT address as the destination ip

are being logged into an IPLOG file for the PAT ip address.

Community Member

Re: iplog question

I have it set in CSPM as Protected Network. I want to see some signatures for the PAT address, such as HIGH events. So what I did is in the Filtering Tab, I filtered out all LOW and MEDIUM events with the option 'Exclude alarms from any Internal IP' to 'Exclude alarms to any External IP'. This way only HIGH events are reported to Event Viewer for the PAT address. I also put the PAT address as Never Block. But if I go down into /usr/nr/var/iplog/new on the sensor I see lots of logs for the PAT address. I thought that if I set it to Filter out certain signatures in CSPM that an IPLOG wouldnt be generated. If this is true then I dont know what is causing the sensor to log so many IPLOGS for the PAT address.

If I look in packetd.conf I see at the top: RecordOfInternalAddress

If I do a 'nrgetbulk 10008 1 RecordOfLogAddress' I get 'not set'

I think what might be happening is a HIGH event is detected coming from the PAT address, and in packetd.conf the 'MinutesOfAutoLog' is set to '60', so it records all traffic coming from the PAT for 60 minutes and this is why there are so many IPLOGS for the PAT. Please, correct me if I am wrong.

If this is right can I just do a 'Epilogue' command in CSPM to set this down to like 5 minutes ??

Cisco Employee

Re: iplog question

I believe your analysis is correct.

It is likely the High Level event with PAT as the source address causing the IPLOGGING to be done.

And you should be able to use the Epilogue to set the MinutesOfAutoLog down to 5.

There will wind up being 2 lines in packetd.conf (one for 60 and one for 5), but the last line in packetd.conf should wind up being the actual time used.

Community Member

Re: iplog question

thank you.

CreatePlease to create content