Diagnostic Commands and Tools


Diagnostic commands and tools are very easy to use on Sensor. These commands and tools provide much meaningful information on the sensor for troubleshooting issues that range from easy to complex. In the following section, you work with some of the most important commands for troubleshooting any sensor-related issue. It is important to become familiar with these commands.

show Commands

show commands in Sensor are used to find out the statistics and state information of the sensor applications, configurations, version, and so on. These commands are very useful tools and quite handy for troubleshooting sensor issues. Some of the most frequently show commands are as follows outlined in the sections that follow.

show version

The show version command provides the information about different applications that go into making the sensor. It's important that all these applications are running for the sensor to function completely. If one of the applications dies, the output of this command will provide this information. Additionally, the show version command also provides the information of the latest version the sensor is running, disk and memory usage, and upgrade history, as shown in Example 14-1.

Example 14-1. show version Output from IPS 5.x Sensor

sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 5.0(1)S149.0 OS Version 2.4.26-IDS-smp-bigphys Platform: IDS-4235 ! The following line shows the serial number of the sensor Serial Number: CGTWJ11 ! The following line shows this sensor is not licensed No license present Sensor up-time is 24 days. Using 782422016 out of 923549696 bytes of available memory (84% usage) system is using 17.3M out of 29.0M bytes of available disk space (59% usage) application-data is using 31.2M out of 174.7M bytes of available disk space (19%   usage) boot is using 40.5M out of 75.9M bytes o.f available disk space (56% usage) application-log is using 530.5M out of 2.8G bytes of available disk space (20% usage) ! It is expected that CLI process will not be running. However, the other two ! processes must be running for the proper functioning of the sensor. MainApp         2005_Mar_04_14.23   (Release)   2005-03-04T14:35:11-0600   Running AnalysisEngine  2005_Mar_04_14.23   (Release)   2005-03-04T14:35:11-0600   Running CLI             2005_Mar_04_14.23   (Release)   2005-03-04T14:35:11-0600 Upgrade History:   IDS-K9-maj-5.0-1-    22:16:00 UTC Thu Mar 04 2004 Recovery Partition Version 1.1 - 5.0(1)S149 sensor# 

show configuration

The show configuration command is used to check the current configuration of the sensor. To get the specific information from the sensor configuration, use the pipe (|) with begin, exclude or include to filter the information that you want to get. For instance if you want to see the allowed hosts configured on the sensor, execute the command shown in Example 14-2.

Example 14-2. show configuration Command Displaying Only the Allowed Host Configuration

sensor# show configuration | include access-list accessList ipAddress 10.0.0.0 netmask 255.0.0.0 accessList ipAddress 172.16.0.0 netmask 255.255.0.0 sensor# 

show events

The show events command is one of the most useful commands for troubleshooting issues on a sensor, in particular, alarm-related issues. Without any other arguments, this command displays alarms and errors in real time. However, to retrieve from the database the alarms or errors that were stored in the past, there are different arguments, which are found by executing the show events ? command on the sensor. Example 14-3 shows the events written to the sensor database for the past 30 minutes.

Example 14-3. Output for show events Command for Past 30 Minutes

sensor# show events past 00:30:00 evStatus: eventId=1111026292731744312 vendor=Cisco   originator:     hostId: sensor     appName: mainApp     appInstanceId: 4255   time: 2005/04/10 00:02:07 2005/04/09 16:02:07 UTC   controlTransaction: command=getVersion successful=true     description: Control transaction response.     requestor:       user: cids       application:         hostId: 10.1.1.50         appName: -cidcli         appInstanceId: 5589 --MORE Sensor# 

To clear the events from the EventStore, execute the clear events command.

show statistics service

The show statistics service command is used to view statistics for the designated service. These statistics are useful in identifying problems pertaining to the designated services.

Example 14-4 shows the list of available services and the statistics that can be obtained using this command.

Example 14-4. Available Services and Statistics that Can Be Obtained with show statistics Command

sensor# show statistics ? analysis-engine        Display analysis engine statistics. authentication         Display authentication statistics. denied-attackers       Display denied attacker statistics. event-server           Display event server statistics. event-store            Display event store statistics. host                   Display host statistics. logger                 Display logger statistics. network-access         Display network access controller statistics. notification           Display notification statistics. sdee-server            Display SDEE server statistics. transaction-server     Display transaction server statistics. transaction-source     Display transaction source statistics. virtual-sensor         Display virtual sensor statistics. web-server             Display web server statistics. sensor# show statistics 

Example 14-5 shows the statistics of Authentication application.

Example 14-5. Statistics of Authentication Application

sensor# show statistics authentication General    totalAuthenticationAttempts = 37    failedAuthenticationAttempts = 0 sensor# 

While troubleshooting issues with any of the applications, it's important to clear the counters of the application to see the statistics for a specific time interval. Example 14-6 shows the statistics of the authentication application and how to clear the statistics with the clear option on the show statistics command.

Example 14-6. Clearing Statistics of Authentication Application

sensor# show statistics authentication clear General    totalAuthenticationAttempts = 37    failedAuthenticationAttempts = 0 ! The above command shows the statistics of the authentication application and also ! clear the counters at the same time. The following command output verifies that ! the counters are reset to zero. sensor# show statistics authentication General    totalAuthenticationAttempts = 0    failedAuthenticationAttempts = 0 sensor# 

show interfaces

The most useful information of the output of the show interfaces command enables you to identify different interfaces, their status, and counter information. Example 14-7 shows the output of show interface command for Command and Control interface.

Example 14-7. show interfaces Command Output from IPS 5.x

sensor# show interfaces gigabitEthernet0/1 MAC statistics from interface GigabitEthernet0/1 ! Media Type TX indicates that this is a Command and Control Interface    Media Type = TX ! You need to ensure that the Link Status shows up    Link Status = Up    Link Speed = Auto_100    Link Duplex = Auto_Full ! You should see packets and bytes received on this interface if there is any ! activity    Total Packets Received = 5662817    Total Bytes Received = 438650587    Total Multicast Packets Received = 12    Total Receive Errors = 0    Total Receive FIFO Overruns = 0    Total Packets Transmitted = 506540    Total Bytes Transmitted = 125982450    Total Transmit Errors = 0    Total Transmit FIFO Overruns = 0 sensor# 

show tech-support

The show tech-support command captures all status and configuration information on the sensor. The command allows the information to be transferred to a remote system. The output can be very large, approximately 1 MB. The output includes the current configuration, version information, and cidDump (the following section contains more information on this topic) information. show tech-support can be obtained from the sensor for troubleshooting purposes either via the CLI or by using IDM. With CLI, after logging into sensor using an admin account, you can execute the following command to get the tech-support information

show tech-support [page] [password] [destination-url destination-url] 


Example 14-8 shows how to generate and place the tech-support output of the sensor into an FTP server using the relative path of user csidsuser.

Example 14-8. Generating and Transferring the show tech-support File to the Relative Directory of User in FTP Server

sensor# show tech-support destination-url ftp://csidsuser@10.1.1.40/reports/   sensorReport.html password:******* 

Example 14-9 shows how to transfer the tech-support output to the user absolute directory path.

Example 14-9. Generating and Transferring the show tech-support File to the Absolute Directory of User in FTP Server

sensor# show tech-support destination-url ftp://csidsuser@10.1.1.40//absolute/reports/sensorReport.html password:******* 

You can view the show tech-support output page by page with the following command:

Sensor# show tech-support page 


The system information appears on the screen, one page at a time. Press the spacebar to view the next page or press Ctrl-C to return to the prompt.

To leave passwords and other security information in the output of the show tech-support, use the following command:

Sensor# show tech-support password 


You can also generate the tech-support file from the sensor using IDM. To do that, click on Monitoring > Support Information > System Information within IDM.

cidDump Script

If you cannot log in to the sensor with the administrator account to the CLI or IDM, you will not be able to collect the show tech-support output. But, with the service account, you can log in to the sensor and collect the cidDump.

Work through the following steps to run the cidDump script:

Step 1.

Log in to the sensor service account.

Step 2.

Switch the service user to root with the "su " command using the service account password.

Step 3.

Type the /usr/cids/idsRoot/bin/cidDump command. This will generate the cidDump.html file.

Step 4.

Compress the resulting /usr/cids/idsRoot/log/cidDump.html file with the following command:

gzip /usr/cids/idsRoot/log/cidDump.html 


Step 5.

You can analyze this resulting HTML file offline or send it to the Cisco Support team for an in-depth analysis.

tcpdump command

tcpdump is the command available on Linux shell. This allows you to see if the interfaces of the sensor are receiving the traffic. This can also be used for signature fidelity issues, or to validate a false positive or false negative traffic. The output of the tcpdump can be analyzed by another sensor using tcpdump or a pcap decoder such as Ethereal. Example 14-10 shows and explains how to use the tcpdump command on the sensor after logging in with the service account.

Example 14-10. Using tcpdump on the Sensor After Logging in With Service Account

login: service Password: Last login: Wed Aug 4 20:25:50 from 10.21.88.88 ***NOTICE*** ! Output removed bash-2.05a$ su - Password: [root@sensor root]# ! Execute command ifconfig a to identify the sniffing interface. The sniffing ! interface does not have an IP address bound to it. ! Following line shows Sensor is capturing GigabitEthernet0/0 interface traffic ! which is the sniffing interface -bash-2.05b#tcpdump -i ge0_0 -bash-2.05b# ! Following line shows how to capture and save the traffic into a pcap file format ! so that you can read it offline by another Sensor or network analyzer. The filter ! in the following line can be replaced by any filtering criteria, for example src ! for source address. -bash-2.05b# tcpdump i ge0_0 w myFileName.pcap [filter] ! Once you are done with capturing, you need to execute the following Ctrl + C ! Once the pcap file is generated, you can read it either via a packet capture ! software (for example Ethereal) or you can use tcpdump to open it up on the same ! or different sensor as follows. -bash-2.05b#tcpdump r myFilename.pcap 

More details about the tcpdump can be found from the following location:

http://www.ethereal.com/docs/man-pages/tcpdump.8.html

http://www.tcpdump.org/tcpdump_man.html

iplog

iplog can be used instead of tcpdump, and iplog has several advantages. If you need to capture binary traffic over a period of time for a specific signature, tcpdump is not a very useful tool, as tcpdump is for real-time traffic. The iplog file captures the binary packets, and these binary packets are written in a common format most commonly referred to as the libpcap format, and as tcpdump files. The libpcap format files can be read by most sniffer programs (for example, Ethereal). The IP Log data is stored in a sort of circular logging buffer, which means that when the buffer is full, the oldest IP log data is overwritten by the newest IP Log data. More details on iplog can be found at the following location:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/cliiplog.htm

packet Command

You can display or capture live traffic from an interface and have the live traffic or a previously captured file to display on the screen. Storage is available for one local file only; subsequent capture requests overwrite an existing file. The size of the storage file varies depending on the platform. Even though capturing live traffic off the interface does not disrupt any of the functionality of the sensor, it can cause significant performance degradation. Example 14-11 summarizes the usage of the packet command.

Example 14-11. Using the packet Command on the Sensor

! To display the live traffic on the Sensor, log in to the sensor using an account with ! administrator or operator privileges. Following command shows how to display the ! live traffic on the interface GigabitEthernet0/1 sensor# packet display GigabitEthernet0/1 ! You can use the expression option to limit what you display, for example, only TCP ! packets. sensor# packet display GigabitEthernet0/1 verbose expression ip proto \\tcp ! To display information about the packet file execute the following command. sensor# packet display file-info ! Instead of using the display, you can capture the live traffic and save it into a ! file which can be displayed later with the display argument. Only one capture is ! possible at a time. ! To capture the live traffic on the interface GigabitEthernet0/1 execute the ! following command sensor# packet capture GigabitEthernet0/1 ! To view this captured file, you can use the display argument as follows. sensor# packet display packet-file ! packet-file can be transferred to an FTP or SCP server for offline analysis sensor# copy packet-file scp://cisco@10.1.1.100/analysis/ ! If you want to erase the packet-file, use the following command. sensor# erase packet-file sensor# 



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net