https://community.cisco.com/t5/network-security/dissecting-ips-logs-triggered-packets/m-p/514649#M98612 <P>How do i dissect the signature triggered packet captured from an IDS/IPS</P><P>eg:000010 08 00 45 00 02 0D C1 1D 00 00 80 06 79 92 AC 1C ..E.........y...</P><P>000020 04 0C 0A 05 44 0E B6 8F 00 19 1E 38 04 FE 6E 1F ....D......8..n.</P><P>000030 BC 0A 50 18 3E D6 B9 7E 00 00 31 20 31 38 36 39 ..P.&gt;..~..1 1869</P> Sun, 10 Mar 2019 09:57:56 GMT pratheesh.venu 2019-03-10T09:57:56Z https://community.cisco.com/t5/network-security/dissecting-ips-logs-triggered-packets/m-p/514649#M98612 <P>How do i dissect the signature triggered packet captured from an IDS/IPS</P><P>eg:000010 08 00 45 00 02 0D C1 1D 00 00 80 06 79 92 AC 1C ..E.........y...</P><P>000020 04 0C 0A 05 44 0E B6 8F 00 19 1E 38 04 FE 6E 1F ....D......8..n.</P><P>000030 BC 0A 50 18 3E D6 B9 7E 00 00 31 20 31 38 36 39 ..P.&gt;..~..1 1869</P> Sun, 10 Mar 2019 09:57:56 GMT https://community.cisco.com/t5/network-security/dissecting-ips-logs-triggered-packets/m-p/514649#M98612 pratheesh.venu 2019-03-10T09:57:56Z https://community.cisco.com/t5/network-security/dissecting-ips-logs-triggered-packets/m-p/514650#M98613 <HTML><HEAD></HEAD><BODY><P>The IP Logs page displays all IP logs that are available for downloading on the system. IP logs are generated in two ways: </P><P></P><P>When you turn on IP logging from Administration &gt; IP Logging </P><P></P><P>See Configuring IP Logging, for the procedure. </P><P></P><P>When you select log as the EventAction for a signature. </P><P></P><P>When the sensor detects an attack based on this signature, it creates an IP log. See Configuring Signatures Through Virtual Sensor Signature Configuration Mode, for more information</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/module_installation_and_configuration_guides_chapter09186a00801a0c2a.html" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/module_installation_and_configuration_guides_chapter09186a00801a0c2a.html</A></P></BODY></HTML> Tue, 11 Apr 2006 17:24:02 GMT https://community.cisco.com/t5/network-security/dissecting-ips-logs-triggered-packets/m-p/514650#M98613 mchin345 2006-04-11T17:24:02Z https://community.cisco.com/t5/network-security/dissecting-ips-logs-triggered-packets/m-p/514651#M98614 <HTML><HEAD></HEAD><BODY><P>Ethereal is a great tool to break it down, but it basically comes to learning TCP/IP really well. Pickup TCP/IP Illustrated Vol 1 by stevens and read it from start to finish, multiple times <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> </P><P></P><P>45 00 02 0D C1 1D 00 00 80 06 79 92 AC 1C 04 0C 0A 05 44 0E</P><P></P><P>Is the IP header portion of the packet. You can tell its an ipv4 packet, and 20 bytes long. Also this is a tcp packet.</P><P></P><P>AC 1C 04 0C is the source IP 172.28.4.12</P><P>0A 05 44 0E is the destination 10.5.68.14</P><P></P><P>The tcp header follows with:</P><P>B6 8F 00 19 1E 38 04 FE 6E 1F BC 0A 50 18 3E D6 B9 7E 00 00 31 20 31 38 36 39</P><P></P><P>B6 8F is source port 46735</P><P>00 19 is dest port 25</P><P>1E 38 04 FE seq #</P><P>6E 1F BC 0A ack #</P><P></P><P>then its followed by your offset, flags, checksum etc... </P><P></P><P>hope that helps.</P><P></P></BODY></HTML> Wed, 12 Apr 2006 20:27:18 GMT https://community.cisco.com/t5/network-security/dissecting-ips-logs-triggered-packets/m-p/514651#M98614 shawn.posthumus 2006-04-12T20:27:18Z https://community.cisco.com/t5/network-security/dissecting-ips-logs-triggered-packets/m-p/514652#M98615 <HTML><HEAD></HEAD><BODY><P>SANS produces a great TCP/IP reference card. Download, print, and keep handy. It'll help you dissect the packet's various contents.</P><P></P><P><A class="jive-link-custom" href="http://sans.org/resources/tcpip.pdf" target="_blank">http://sans.org/resources/tcpip.pdf</A></P><P></P><P>If the card makes no sense to you, and you want a quick fix, I would suggest downloading Ethereal. Take the text trigger packet, and convert it to a pcap file using text2pcap.exe. Its included with Ethereal. Then load the file in Ethereal and it will break down the packet into its various elements for you.</P><P></P><P><A class="jive-link-custom" href="http://www.ethereal.com/" target="_blank">http://www.ethereal.com/</A></P></BODY></HTML> Thu, 13 Apr 2006 14:20:41 GMT https://community.cisco.com/t5/network-security/dissecting-ips-logs-triggered-packets/m-p/514652#M98615 npham 2006-04-13T14:20:41Z