RE: CISCO IDS Packet capture

From: Terence Runge (Terence.Runge_at_veritas.com)
Date: 04/08/04

  • Next message: Jacco Tunnissen: "Re: History of intrusion detection" 
    To: James Fields <jvfields@tds.net>, "Strand, John" <John.Strand@mms.gov>, focus-ids@securityfocus.com
Date: Thu, 8 Apr 2004 11:03:54 -0700

    I wrote this a while ago, hope it helps someone.

    The Cisco Secure Intrusion Detection Sensor (CSIDS) runs on a modified
    version of Redhat 7.3 Linux. The shell resembles IOS and is set as default
    for all users except "service".

    The service account uses bash and enables the user to run tcpdump after
    beconming the super-user and following the steps outlined in this document.
    Below, a typical session to access a root shell is shown.

    $ ssh -l service ids01

    bash-2.05a$ su -

    Password:

    [root@ids01 root]#

    Once you have logged in and become the root user, change directories to
    /etc/init.d. Note that the password for root is always identical the service
    account password.

    In the /etc/init.d directory, the cids control script needs to be stopped
    before proceeding.

    **WARNING**

    Stopping cids turns off the intrusion detection function of the sensor. This
    will allow the user to run tcpdump but will not permit the concurrent
    operation of the signature based intrusion detection engine. You will need
    to restart the cids application before logging off.

    An example of procedure follows.

    [root@ids01 /]# cd /etc/init.d

    Stop the intrusion detection engine.

    [root@ids01 init.d]# ./cids stop

    Shutting down CIDS: [ OK ]

    Remove cidmodcap: cidmodcap: Device or resource busy

    [FAILED]

    No XL card present*

    *This error can safely be ignored if you are running something other than a
    4250XL

    Once the engine has stopped, run ifconfig -a to check your network settings.

    Run ifup eth0 to prepare the eth0 interface for sniffing.

    Run tcpdump to get a raw dump of all traffic. By default, the sniffing
    interface is eth0.

    [root@ids01 init.d]# tcpdump -ln -i eth0

    Once you are done using tcpdump, start the intrusion detection engine with
    the cids control script.

    [root@ids01 init.d]# ./cids start

    [root@ids01 init.d]# ./cids status

    mainApp (pid 16879 16832 16813 16812 16809) is running...

    In order to terminate your session, exit from root

    [root@ids01 init.d]# exit

    ...and logout

    -----Original Message-----
    From: James Fields [mailto:jvfields@tds.net]
    Sent: Tuesday, April 06, 2004 5:33 PM
    To: Strand, John; focus-ids@securityfocus.com
    Subject: Re: CISCO IDS Packet capture

    For each signature on a newer Cisco sensor, you have the ability to turn on
    and off the features called log, reset, and block. Log is the choice that
    causes it to capture. You then get the capture off the sensor using the web
    interface on the sensor. It will be in pcap format, readable with Ethereal
    or other analyzers that can read that format.

    ----- Original Message -----
    From: "Strand, John" <John.Strand@mms.gov>
    To: <focus-ids@securityfocus.com>
    Sent: Friday, April 02, 2004 9:35 AM
    Subject: CISCO IDS Packet capture

    >
    > Hello All,
    >
    > Does anyone know how to enable some level of packet capture and
    > logging on the CISCO IDS system (the newer version which interfaces
    > with CiscoWorks
    and
    > can run on Win2K)? I have hunted through the CISCO provided PDF's and
    their
    > a little on the light side. I also have hit the usual suspects,
    > google, CISCO groups, etc..
    >
    > Thanks in advance for any help.
    >
    >
    > js
    >
    > ----------------------------------------------------------------------
    > ----
    -
    >
    > ----------------------------------------------------------------------
    > ----
    -
    >

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • Next message: Jacco Tunnissen: "Re: History of intrusion detection"

    Relevant Pages

    • Re: CISCO IDS Packet capture
      ... For each signature on a newer Cisco sensor, you have the ability to turn on ... > Does anyone know how to enable some level of packet capture and logging on ... > the CISCO IDS system (the newer version which interfaces with CiscoWorks ...
      (Focus-IDS)
    • Re: Signature Tuning on Cisco IDS
      ... Signature Tuning on Cisco IDS ... For Cisco that would going above 100Mbit of traffic or so. ... need to periodicly redo your filter settings. ... Initially run the sensor in a raw, ...
      (Focus-IDS)
    • [NEWS] Cisco Secure IDS Signature Obfuscation Vulnerability
      ... Cisco Secure IDS Signature Obfuscation Vulnerability ... and bypass the Intrusion Detection systems. ...
      (Securiteam)
    • RE: CISCO IDS Packet capture
      ... > Subject: CISCO IDS Packet capture ... > Does anyone know how to enable some level of packet capture and logging on ... The feature you're referring to is known as "IP Logging" in Cisco's ...
      (Focus-IDS)
    • Re: Snort and Cisco Pix
      ... Subject: Snort and Cisco Pix ... >> Linux, not NT. ... it is important to note that the packet capture is all done within the ... context of a hardware accelerator. ...
      (Focus-IDS)