RE: CISCO IDS Packet capture
From: Chad R. Skipper (cskipper_at_cisco.com)
Date: 04/06/04
- Previous message: Job 317: "FTP/Telnet IDS Evasion techniques"
- In reply to: Strand, John: "CISCO IDS Packet capture"
- Next in thread: James Fields: "Re: CISCO IDS Packet capture"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Strand, John'" <John.Strand@mms.gov>, <focus-ids@securityfocus.com> Date: Tue, 6 Apr 2004 15:11:16 -0500
3 options available:
IP Logging - The sensor will capture the binary packets for a given address
and store them in an IP Log file that can be downloaded and viewed by the
user. The IP Logging capability can be triggered manually by specifying a
particular IP address, or automatically when a signature triggers.
Trigger Packet - The sensor can attach the trigger packet directly to the
alarm. IEV can then be used to view the contents of the trigger packet
(IEV passes the packet to ethereal for viewing).
Tcpdump - Tcpdump has been loaded on the sensors. You will have to create
a service account on the sensor to get access to the underlying Linux
OS. Once logged into the service account then you can switch to user root
(same password as the service account). You can run ifconfig -a to see
which interface you want to sniff on. There is currently an issue with the
sensor that the sensor can not monitor the same interface that tcpdump
monitors. They use different methods to open the interface that are not
compatible with the current driver. This will be corrected in the next
sensor version. Until then you will need to shutdown the interface from
the CLI, before attempting to run tcpdump on it. Once the interface has
been shutdown then you will need to bring it up using ifconfig before
running tcpdump on the interface. When you are done running tcpdump you
will need to reboot the sensor to re-initialize the drivers, and then
through the CLI you would need to do a "no shutdown" on the interface to
get the sensor to start monitoring on it again. This is being corrected in
the next sensor version, and the user will be able to run tcpdump on the
same interface that is being monitored.
---------------------------
Some doc links for IP Logging and Trigger Packet:
Manual creation of IP Logs:
IDM:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s
wchap5.htm#987052
CLI:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/1
5599ch2.htm#378251
SecMon (VMS): Not currently supported. Use IDM or CLI.
---------------------------
Automatic creation of IP Logs for a specific signature:
IDM:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s
wchap3.htm#526
(step 4 of tuning built-in signatures you would select log for the
EventAction)
CLI:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/1
5599ch2.htm#5853
(you would select the engine for that signature, then select that
signature, then set EventAction to log)
IDS MC (VMS):
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc
12/ug/ch05.htm#893699
(set the Action or EventACtion to Log or IP Log - depending on software
version)
---------------------------
Downloading of IP Logs:
IDM:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s
wchap4.htm#860259
CLI:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/1
5599ch2.htm#377910
(you have to copy the iplog to your own ftp or scp server) SecMon (VMS) Not
currently supported. Use IDM or CLI.
-----------------------------
Viewing of IP Logs:
To view the IP Log download the IP Log and then open them using any packet
viewer that understands libpcap formatted capture files (tcpdump, or
ethereal are most commonly used).
------------------------------
Configure Automatic attachment of trigger packet to alarm for a specific
signature:
IDM:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s
wchap3.htm#526
(step 4 of tuning built-in signatures you would select true for
CapturePacket option)
CLI:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/1
5599ch2.htm#5853
(you would select the engine for that signature, then select that
signature, then set CapturePacket to true)
IDS MC:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc
12/ug/ch05.htm#893699
(set CapturePacket to true - depending on software version)
------------------------------
View trigger packet attached to alarm:
IEV:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/s
wchap6.htm#1789
SecMon (VMS): Not currently supported. Use IEV.
Chad R. Skipper
Software Engineer
Cisco Systems
-----Original Message-----
From: Strand, John [mailto:John.Strand@mms.gov]
Sent: Friday, April 02, 2004 7:36 AM
To: focus-ids@securityfocus.com
Subject: CISCO IDS Packet capture
Hello All,
Does anyone know how to enable some level of packet capture and logging on
the CISCO IDS system (the newer version which interfaces with CiscoWorks and
can run on Win2K)? I have hunted through the CISCO provided PDF's and their
a little on the light side. I also have hit the usual suspects, google,
CISCO groups, etc..
Thanks in advance for any help.
js
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Job 317: "FTP/Telnet IDS Evasion techniques"
- In reply to: Strand, John: "CISCO IDS Packet capture"
- Next in thread: James Fields: "Re: CISCO IDS Packet capture"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
