[ LiB ] |
IP logging is normally done when a signature is triggered by malicious packet traffic. The log files can then be copied to an FTP server and analyzed with other networking analysis tools. This section covers two commands that deal with the IP logging features of the IDS 4.0.
The iplog command enables the sensor to start manually logging IP packets on an interface group . The command supports several options that you can use for filtering which packets are logged and how long they will be recorded. The syntax displays the two uses of the command:
iplog group-id ip-address [duration minutes ] [packets numPackets ] [bytes numBytes ] no iplog log-id
Table 8.6 lists the iplog command options and explains their functions.
Option | Function |
---|---|
group-id | Group ID to begin and end logging on. Currently, there is only one interface group, group 0. |
ip-address | Defines which specified IP address is logged. |
minutes | Defines the duration the logging should be active, in minutes. (The default is 10 minutes.) |
numPackets | Total number of packets to log. (The default is 1000 packets.) |
numBytes | Total number of bytes to log. |
log-id | Used with no to stop a particular logging session. You can retrieve the log ID using the iplog-status command. |
The following example displays how to manually enable the logging of IP address 10.1.9.11 on interface group 0:
sensor# iplog 0 10.1.9.11 Logging started for group 0, IP address 10.1.9.11, Log ID 1969 Warning: IP Logging will affect system performance. sensor#
You use the iplog command to manually record traffic. You can define signature actions to log traffic when they are triggered. |
The iplog-status command displays a description of the available IP log contents and their status. The following output displays IP log files that can be uploaded to an FTP server and reviewed offline:
sensor# iplog-status Log ID:2425 IPAddress: 10.1.9.11 Group: 1 Status: in-process Start Time: 10:02:34 8/24/2001 Log ID 2342 IPAddress: 10.1.9.12 Group:1 Status: completed Start Time: 23:34:02 7/1/2001 End Time: 23:44:02 7/1/2001 sensor#
When you look closely at the example, you can see that the iplog-status command is showing details about Log ID: 2425 and Log ID: 2342.
Use the copy command to upload files to the FTP server. You can use programs such Ethereal to analyze the IP packets offline. |
[ LiB ] |