IP Logging

Previous page
Table of content
Next page
[ LiB ]  

IP logging is normally done when a signature is triggered by malicious packet traffic. The log files can then be copied to an FTP server and analyzed with other networking analysis tools. This section covers two commands that deal with the IP logging features of the IDS 4.0.

The iplog Command

The iplog command enables the sensor to start manually logging IP packets on an interface group . The command supports several options that you can use for filtering which packets are logged and how long they will be recorded. The syntax displays the two uses of the command: 


 iplog  group-id ip-address  [duration  minutes  ] [packets  numPackets  ] [bytes  numBytes  ] no iplog  log-id

Table 8.6 lists the iplog command options and explains their functions.

Table 8.6. iplog Command Options

Option

Function

group-id

Group ID to begin and end logging on. Currently, there is only one interface group, group 0.

ip-address

Defines which specified IP address is logged.

minutes

Defines the duration the logging should be active, in minutes. (The default is 10 minutes.)

numPackets

Total number of packets to log. (The default is 1000 packets.)

numBytes

Total number of bytes to log.

log-id

Used with no to stop a particular logging session. You can retrieve the log ID using the iplog-status command.


The following example displays how to manually enable the logging of IP address 10.1.9.11 on interface group 0: 


 sensor#  iplog 0 10.1.9.11  Logging started for group 0, IP address 10.1.9.11, Log ID 1969 Warning: IP Logging will affect system performance. sensor#

graphics/note_icon.gif

You use the iplog command to manually record traffic. You can define signature actions to log traffic when they are triggered.


The iplog-status Command

The iplog-status command displays a description of the available IP log contents and their status. The following output displays IP log files that can be uploaded to an FTP server and reviewed offline: 


 sensor#  iplog-status  Log ID:2425 IPAddress: 10.1.9.11 Group: 1 Status: in-process Start Time: 10:02:34 8/24/2001 Log ID 2342 IPAddress: 10.1.9.12 Group:1 Status: completed Start Time: 23:34:02 7/1/2001 End Time: 23:44:02 7/1/2001 sensor#

When you look closely at the example, you can see that the iplog-status command is showing details about Log ID: 2425 and Log ID: 2342.

graphics/note_icon.gif

Use the copy command to upload files to the FTP server. You can use programs such Ethereal to analyze the IP packets offline.


[ LiB ]  

Previous page
Table of content
Next page
CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 213
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Interprocess Communications in Linux: The Nooks and Crannies
Inside Network Security Assessment: Guarding Your IT Infrastructure
Cisco IOS Cookbook (Cookbooks (OReilly))
Comparing, Designing, and Deploying VPNs
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy