Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
5
Helpful
3
Replies

Dissecting IPS logs (triggered packets)

pratheesh.venu
Level 1
Level 1

‎04-05-2006 02:27 AM - edited ‎03-10-2019 01:57 AM

How do i dissect the signature triggered packet captured from an IDS/IPS

eg:000010 08 00 45 00 02 0D C1 1D 00 00 80 06 79 92 AC 1C ..E.........y...

000020 04 0C 0A 05 44 0E B6 8F 00 19 1E 38 04 FE 6E 1F ....D......8..n.

000030 BC 0A 50 18 3E D6 B9 7E 00 00 31 20 31 38 36 39 ..P.>..~..1 1869

Labels:
0 Helpful
3 Replies 3

mchin345
Level 6
Level 6

‎04-11-2006 10:24 AM

The IP Logs page displays all IP logs that are available for downloading on the system. IP logs are generated in two ways:

When you turn on IP logging from Administration > IP Logging

See Configuring IP Logging, for the procedure.

When you select log as the EventAction for a signature.

When the sensor detects an attack based on this signature, it creates an IP log. See Configuring Signatures Through Virtual Sensor Signature Configuration Mode, for more information

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/module_installation_and_configuration_guides_chapter09186a00801a0c2a.html

0 Helpful

shawn.posthumus
Level 1
Level 1

‎04-12-2006 01:27 PM

Ethereal is a great tool to break it down, but it basically comes to learning TCP/IP really well. Pickup TCP/IP Illustrated Vol 1 by stevens and read it from start to finish, multiple times =)

45 00 02 0D C1 1D 00 00 80 06 79 92 AC 1C 04 0C 0A 05 44 0E

Is the IP header portion of the packet. You can tell its an ipv4 packet, and 20 bytes long. Also this is a tcp packet.

AC 1C 04 0C is the source IP 172.28.4.12

0A 05 44 0E is the destination 10.5.68.14

The tcp header follows with:

B6 8F 00 19 1E 38 04 FE 6E 1F BC 0A 50 18 3E D6 B9 7E 00 00 31 20 31 38 36 39

B6 8F is source port 46735

00 19 is dest port 25

1E 38 04 FE seq #

6E 1F BC 0A ack #

then its followed by your offset, flags, checksum etc...

hope that helps.

0 Helpful

npham
Level 1
Level 1

‎04-13-2006 07:20 AM

SANS produces a great TCP/IP reference card. Download, print, and keep handy. It'll help you dissect the packet's various contents.

http://sans.org/resources/tcpip.pdf

If the card makes no sense to you, and you want a quick fix, I would suggest downloading Ethereal. Take the text trigger packet, and convert it to a pcap file using text2pcap.exe. Its included with Ethereal. Then load the file in Ethereal and it will break down the packet into its various elements for you.

http://www.ethereal.com/

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card