Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
4
Replies

1101-Unknown IP Proto, bug and anyone seen?

pbobby
Level 1
Level 1

‎05-11-2004 06:24 AM - edited ‎03-09-2019 07:20 AM

Have been seeing this signature recently (for the first time ever mindst you).

According to the description it occurs whenever the protocol field is greater than 133.

VMS reports the source Ip as 0.194.132.65, like that.

Also getting various No INitial Frag and Incomplete Datagram signatures too, although not enough information to know if they are connected.

Now for the bug:

I have set CapturePacket (love this setting) to True for this signature, but it doesn't capture the packet :(

Labels:
0 Helpful
4 Replies 4

darin.marais
Level 4
Level 4

‎05-11-2004 11:42 AM

As far as I am aware the sensor will not capture the first packet of an IP address set during auto-iplog. The first event will start the auto-iplog for that IP address set (src and dst), and only the next event will trigger packet capture> so if there is only one event, then no packets will be captured. You will require at least 2 events

I seam to remember reading this somewhere, so I only think the theory is correct however if there is someone on the list that has some documentation links that explain exactly how it work feel free to post them.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to darin.marais

‎05-11-2004 12:32 PM

That used to be true, but beginning with version 4.x the initial packet is now captured in the iplog.

The initial packet can also be attached directly to the alarm with the capture trigger packet feature.

I am not sure why this is not working for the signature in question.

You may want to verify what your signature settings are on the sensor itself.

Could be you change in IDS MC didn't make it to the sensor.

You may also want to try iplogging to see if it works.

If neither works then ensure you are running the latest service pack 4.1(4). (Nothing changed in this area of code, but it is always best to try the latest when trying to debug the problem).

If you still don't have any luck, then contact the TAC. You may have found a bug we were not aware of.

If you are seeing alot of these alarms, then in a worst case scenario you could login using the service account. Then switch to user root, and run tcpdump to monitor the same port (is now allowed with the 4.1(4) service pack) and use tcpdump's filters to look for the specific ip address in the alarm.

0 Helpful

darin.marais
Level 4
Level 4
In response to marcabal

‎05-11-2004 01:20 PM

Marco,

please could you post a URL where one could read more about enabling and using the capture trigger packet feature.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to darin.marais

‎05-11-2004 07:39 PM

There are 2 steps for dealing with the trigger packet.

Step 1 is to tune the signature and set CapturePacket to True.

Step 2 is to view the trigger packet when the alert fires.

To configure it in IDM follow the steps according to this link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31460

In Step 4 set the CapturePacket parameter to True

Similar steps are also available for IDS MC. I just don't know of a specific link to point to.

To view the trigger packet in IEV:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#1789

With IEV you can view a hexadecimal and ascii representation of the packet, or if you have ethereal loaded you can have the trigger packet loaded into the ethereal viewer and be able to view detailed analysis of the packet.

The hexadecimal and ascii view of the packet can also be seen in the "show events" command in the sensor CLI, or in the show events ouput of IDM.

To view events in the CLI:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/15599ch2.htm#379622

To view events in IDM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap4.htm#860304

If after you view the packet through the CLI or IDM, and you want to be able to view even more detailed analysis of the packet, then do the following.

Copy the trigger packet from the CLI or IDM events output, and paste it into a file on your desktop.

Next run text2pcap to convert the hexadecimal and ascii representation into a libpcap file.

The libpcap file can then be opened using ethereal for detailed analysis.

NOTE: text2pcap is a utility that is included in most ethereal installations.

If you are using Security Monitor (VMS) for viewing the alarms, then there is not currently a method within SecMon for viewing the trigger packet. You will need to use either IEV, the CLI, or IDM to view the trigger packet.

This feature is being added in a future version of Security Monitor (I am not sure when).

0 Helpful
Customers Also Viewed These Support Documents