Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TurnOn iplog@CLI, 4.1 sensor

I would like to turn on IP logging for a particular signature from the command line interface (CLI) of a 4.1 sensor.

One my reasons for wanting to do this are that sometimes it is necessary to turn on iplog for a “short” while. It is quite a long process to have to change the configuration, generate and deploy it from the VMS server. I would like to be able to just quickly grab some data for inspection. I am aware that you can do this from the prompt per source IP address;

Eg. ids# iplog 0 x.x.x.x packets ??

Can the same be done for instants for the destination or the signature ID for example? Is it possible to change the signature behaviour to iplog via the CLI?

1 REPLY
Cisco Employee

Re: TurnOn iplog@CLI, 4.1 sensor

You can do both manual and automatic (signature triggered) IP Logging from the CLI.

For manual IP Loggin you use the "iplog" command you mentioned in your post. The ip address used could have been the attacker ip address from an alarm, or the victim ip address from an alarm, or even an address that you've never seen in an alarm. There is no linkage to a specific alarm so you get to decide. The iplog command will capture all packets to and from the ip address you designate for the criteria (time, packets, bytes) that you specified.

For automatic IP Logging (signature triggered IP Logging) you would follow these steps:

1) configure terminal

2) service virtual-sensor-configuration virtualSensor

3) tune-micro-engines

4) show settings | include

Replacing which the SigID you are interested in. For example: "show settings | include 2004"

5) From the output determine which signature engine the signature belongs to.

For example the previous command output is:

ATOMIC.ICMP

-----------------------------------------------

signatures (min: 0, max: 1000, current: 14)

-----------------------------------------------

SIGID: 2004

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

So the Engine is ATOMIC.ICMP.

6) Enter the Engine Name to enter the mode for that Engine (type ? to see the list of engines)

7) Enter "signatures SigId SubSig "

Generally subsigid will be 0, but could be another number (look in your event viewer).

8) Enter "EventAction log" to turn on automatic ip logging for that signature.

NOTE: Other actions may also be added using the "|" character between actions like "log|reset"

9) Exit back to configure terminal mode

10) When exiting you will be prompted to save and apply your configuration. Enter Y or Yes.

For automatic Ip Loggin the sensor will IP Log all of the packets to and from the Attacker Ip Address when the alarm fires.

If using IDS MC, the next time IDS MC pushes down a configuration it will likely over write this configuration modification. So like you said this would be a temporary method for doing IP Logging on a signature in your situation.

81
Views
5
Helpful
1
Replies