03-20-2013 12:01 AM - edited 03-11-2019 06:16 PM
Hey,
I would like to know if ACL could filter specific packet type or unique packet id. How does it work? Let's say i have some captured packets, how do i filter some of them?
For example: i want to stop Meterpreter to open a session. I've analyzed the packets and there were 2 ACK values 1 and 399
I've successfully stopped Meterpreter to open a session between the attacker machine and the victim by using: "deny tcp any any ack log" on the outside interface, but i'm unsure about how it works.
Will it stop only Meterpreter or..?
03-20-2013 02:51 AM
Hi,
no it will filter all tcp packets with the ack bit set. you should use an IDS or FPM to stop this program.
Regards
Alain
Don't forget to rate helpful posts.
03-20-2013 01:36 PM
any idea how do i export specific package from wireshark capture and how to copy it to the router?
03-20-2013 03:31 PM
Hello,
That is the thing.. Is not that easy ( I wish if were like that)
As Alain suggested you will need to enable an advanced feature that allows you to specific traffic patterns and then match it and dropped.. For that you have various options:
-Flexible Packet Matching
-NBAR ( If the protocol is supported)
-Layer 7 inspection with an IOS firewall
-A signature with a specific IPS/IOS IPS.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide