Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Signatures and the CapturePacket parameter

"Captures the offending packet", seems like this is 'off' by default.

Does anyone know where this packet is stored if I were to turn it on?

If I do a 'show events' from the probe, and trigger the signature, I see the packet included in the event as "triggerpacket". But from that point on, not sure where to get it.

Not only do I use VMS, but I also use NSM, and the triggerpacket is not 'pulled' from the probe. Not sure if it's pulled by VMS either.

1 REPLY
Cisco Employee

Re: Signatures and the CapturePacket parameter

The trigger packet is automatically encoded and and placed as a field within the alert.

The alert is then placed in the EventStore of the sensor where it can be queried by VMS, and other viewers.

So how do you get a look at the packet?

You could download and install IEV and Ethereal.

IEV can pull the event and will decode the trigger packet into a libpcap format. It can then launch Ethereal for you to look at the packet.

If you don't want to load IEV, you can also access the trigger packet through "show events" on the sensor.

When you see the alarm in your viewer make note of the time of the alarm and the severity of the alarm and the ID of the alarm.

When you go to the sensor execute the "show events" command with the "alert " and a time a few seconds before the alarm fired.

Example: show events alert high 13:45:10 Jan 1 2004

Then look for the alert with the same eventId as in your viewer. At the bottom of the alert you will see the attached trigger packet.

On the left side will the Hex version of the packet, and on the right will be the Ascii representation of the Hex packet ( a period will be used for nonprintable characeters).

It does not try and decode the headers of the packet so it can de difficult to determine where the data of the packet begins.

If the decode done by the CLI is not enough for you then you can still take this output and use ethereal.

Copy the trigger packet from your CLI session and paste it into a text file on your computer.

Save the file.

Now run the program "text2pcap" to convert the Hex based trigger packet to a libpcap file.

NOTE: text2pcap is a program included in most distributions of ethereal.

You can now use ethereal to load the pcap file.

----------------------

The Trigger Packet works well for IEV where the viewing of the packet has been integrated into the alarm viewer. It will eventually be integrated into the other viewers created by Cisco (and hopefully viewers from other companies pulling events from Cisco IDS sensors).

The other option is to use IP Logging (the "log" action on the signature). The IP Log also contains the trigger packet of the signature.

The IP Log is stored in a libpcap format on the sensor in special files. The IP Log can not be directly accessed on the sensor, but the user can use the copy command on the sensor to download an IP Log from the sensor to their ftp (or scp) server.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/15599ch2.htm#377910

Or download the file from within IDM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap4.htm#860259

Once downloaded the file can directly read by Ethereal.

-------------------

Where to download Ethereal:

http://www.ethereal.com/

84
Views
0
Helpful
1
Replies
CreatePlease to create content