01-21-2010 04:55 AM - edited 03-10-2019 04:52 AM
Hello,
Is it possible to turn on and dictate the length of packet decodes on the sensor?
For example I do not get a decode for invalid netbios name(3357), but do for Windows Image color Management (6984).
exmaple:
context:
fromAttacker:
000000 0E 30 00 00 00 00 00 00 02 00 00 00 01 00 01 00 .0..............
000010 00 00 00 00 00 00 20 07 67 40 63 00 65 30 6E 00 ...... .g@c.e0n.
000020 74 00 6C 00 79 00 20 00 75 00 01 00 00 04 00 00 t.l.y. .u.......
000030 00 00 20 07 4B C8 00 30 0F 30 00 00 00 00 00 00 .. .K..0.0......
000040 02 00 00 00 0B 00 01 00 00 00 00 00 00 00 20 07 .............. .
000050 4B C8 00 30 0F 30 00 00 00 00 00 00 02 00 00 00 K..0.0..........
000060 0B 00 01 00 00 00 00 00 00 00 20 07 4B C8 00 30 .......... .K..0
000070 0F 30 00 00 00 00 00 00 02 00 00 00 0B 00 01 00 .0..............
000080 00 00 00 00 00 00 20 07 4B C8 00 30 0F 30 00 00 ...... .K..0.0..
000090 00 00 00 00 02 00 00 00 0B 00 01 00 00 04 00 00 ................
0000A0 00 00 20 07 4B C8 00 30 08 30 00 00 00 00 00 00 .. .K..0.0......
0000B0 02 00 00 00 01 00 01 00 00 00 00 00 00 00 20 07 .............. .
0000C0 4B C8 00 30 0F 30 00 00 00 00 00 00 02 00 00 00 K..0.0..........
0000D0 0B 00 01 00 00 00 00 00 00 00 20 07 4B C8 00 30 .......... .K..0
0000E0 0F 30 00 00 00 00 00 00 02 00 00 00 0B 00 01 00 .0..............
0000F0 00 00 00 00 00 00 20 07 6F 40 64 00 65 30 3A 00 ...... .o@d.e0:
fromTarget:
000000 73 65 3F 73 65 73 73 69 6F 6E 69 64 3D 43 46 30 se?sessionid=CF0
000010 32 42 30 31 39 41 49 44 5F 30 30 30 30 30 35 33 2B019AID_0000053
000020 32 38 30 30 35 30 30 30 30 30 30 30 30 26 63 61 2800500000000&ca
000030 73 65 69 64 3D 35 30 34 39 38 34 26 63 61 73 65 seid=504984&case
000040 74 72 61 6E 73 66 65 72 66 6C 61 67 3D 59 0D 0A transferflag=Y..
000050 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A Accept-Language:
000060 20 65 6E 2D 67 62 0D 0A 41 63 63 65 70 74 2D 45 en-gb..Accept-E
000070 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 ncoding: gzip, d
000080 65 66 6C 61 74 65 0D 0A 55 73 65 72 2D 41 67 65 eflate..User-Age
000090 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 nt: Mozilla/4.0
0000A0 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 (compatible; MSI
0000B0 45 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E E 6.0; Windows N
0000C0 54 20 35 2E 31 3B 20 53 56 31 3B 20 47 54 42 36 T 5.1; SV1; GTB6
0000D0 29 0D 0A 48 6F 73 74 3A 20 31 30 2E 32 33 32 2E )..Host: 10.232.
0000E0 31 36 2E 37 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 16.7..Connection
0000F0 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A : Keep-Alive....
Some alerts also warrant a larger capture for example web attacks to correctly false positive the traffic.
Any help would be gratfeully received.
BTW can I view IPS events from the CLI on the unit?
Thanks
Mark
Solved! Go to Solution.
01-21-2010 09:07 AM
There are two types of packet captures on the IPS Sensors. The one you may be looking at
is included in the alert. This is set by selecting the "produce-verbose-alert" option on the associated signature. There are no further options for this method of packet capture.
The second way of performing packet captures are is the "log-attacter-packets" and "log-victim-packets" (select these as a pair). They will create a PCAP file on the sensor with X number of packets captured. X is settable on a global basis for all signature captures (not on a sig by sig basis).
You can see alerts no the CLI with these commands:
show events alert past 01:00 (to see alerts for the past hour + current alerts as they roll in)
- Bob
01-21-2010 09:07 AM
There are two types of packet captures on the IPS Sensors. The one you may be looking at
is included in the alert. This is set by selecting the "produce-verbose-alert" option on the associated signature. There are no further options for this method of packet capture.
The second way of performing packet captures are is the "log-attacter-packets" and "log-victim-packets" (select these as a pair). They will create a PCAP file on the sensor with X number of packets captured. X is settable on a global basis for all signature captures (not on a sig by sig basis).
You can see alerts no the CLI with these commands:
show events alert past 01:00 (to see alerts for the past hour + current alerts as they roll in)
- Bob
01-25-2010 02:12 AM
Hi Bob,
Thank you for your reply.
It's really helped.
Thanks
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide