how to filter a specific packet type?

Istvan kelemen · ‎03-20-2013

Hey,

I would like to know if ACL could filter specific packet type or unique packet id. How does it work? Let's say i have some captured packets, how do i filter some of them?

For example: i want to stop Meterpreter to open a session. I've analyzed the packets and there were 2 ACK values 1 and 399

I've successfully stopped Meterpreter to open a session between the attacker machine and the victim by using: "deny tcp any any ack log" on the outside interface, but i'm unsure about how it works.

Will it stop only Meterpreter or..?

cadet alain · ‎03-20-2013

Hi,

no it will filter all tcp packets with the ack bit set. you should use an IDS or FPM to stop this program.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd80633b0a.html

Regards

Alain

Don't forget to rate helpful posts.

Istvan kelemen · ‎03-20-2013

any idea how do i export specific package from wireshark capture and how to copy it to the router?

Julio Carvajal · ‎03-20-2013

Hello,

That is the thing.. Is not that easy ( I wish if were like that)

As Alain suggested you will need to enable an advanced feature that allows you to specific traffic patterns and then match it and dropped.. For that you have various options:

-Flexible Packet Matching

-NBAR ( If the protocol is supported)

-Layer 7 inspection with an IOS firewall

-A signature with a specific IPS/IOS IPS.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC