04-05-2006 02:27 AM - edited 03-10-2019 01:57 AM
How do i dissect the signature triggered packet captured from an IDS/IPS
eg:000010 08 00 45 00 02 0D C1 1D 00 00 80 06 79 92 AC 1C ..E.........y...
000020 04 0C 0A 05 44 0E B6 8F 00 19 1E 38 04 FE 6E 1F ....D......8..n.
000030 BC 0A 50 18 3E D6 B9 7E 00 00 31 20 31 38 36 39 ..P.>..~..1 1869
04-11-2006 10:24 AM
The IP Logs page displays all IP logs that are available for downloading on the system. IP logs are generated in two ways:
When you turn on IP logging from Administration > IP Logging
See Configuring IP Logging, for the procedure.
When you select log as the EventAction for a signature.
When the sensor detects an attack based on this signature, it creates an IP log. See Configuring Signatures Through Virtual Sensor Signature Configuration Mode, for more information
04-12-2006 01:27 PM
Ethereal is a great tool to break it down, but it basically comes to learning TCP/IP really well. Pickup TCP/IP Illustrated Vol 1 by stevens and read it from start to finish, multiple times =)
45 00 02 0D C1 1D 00 00 80 06 79 92 AC 1C 04 0C 0A 05 44 0E
Is the IP header portion of the packet. You can tell its an ipv4 packet, and 20 bytes long. Also this is a tcp packet.
AC 1C 04 0C is the source IP 172.28.4.12
0A 05 44 0E is the destination 10.5.68.14
The tcp header follows with:
B6 8F 00 19 1E 38 04 FE 6E 1F BC 0A 50 18 3E D6 B9 7E 00 00 31 20 31 38 36 39
B6 8F is source port 46735
00 19 is dest port 25
1E 38 04 FE seq #
6E 1F BC 0A ack #
then its followed by your offset, flags, checksum etc...
hope that helps.
04-13-2006 07:20 AM
SANS produces a great TCP/IP reference card. Download, print, and keep handy. It'll help you dissect the packet's various contents.
http://sans.org/resources/tcpip.pdf
If the card makes no sense to you, and you want a quick fix, I would suggest downloading Ethereal. Take the text trigger packet, and convert it to a pcap file using text2pcap.exe. Its included with Ethereal. Then load the file in Ethereal and it will break down the packet into its various elements for you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: