IPS - IPLogging - ASA AIP-SSM

 

By default max 20 concurrent IPLOG files can open.

To change do the following:

(config)# service analysis-engine

(config-ana)# global-parameters

(config-ana-glo)# ip-logging

(config-ana-glo-ip)# max-open-iplog-files 40

(config-ana-glo-ip)# exit

(config-ana-glo)# exit

(config-ana)# exit
Apply Changes?[yes]: yes

 

Warning: change to max-open-iplog-files will take effect after next restart
Warning: The node must be rebooted for the changes to go into effect.
Continue with reboot? [yes]: yes

 AUTOMATIC IPLOGGING

 

  • go to signature definition mode

(config)# service signature-definition danpol

(config-sig)# ip-log

default settings are:

# show settings
ip-log
-----------------------------------------------
ip-log-packets: 0 <defaulted>
ip-log-time: 30 <defaulted>
ip-log-bytes: 0 <defaulted>

 

(config-sig-ip)# ip-log-bytes 4096

Identifies the maximum number of bytes you want logged.

(config-sig-ip)# ip-log-packets 300

Identifies the number of packets you want logged.

(config-sig-ip)# ip-log-time 60

Identifies the duration, in seconds, you want the sensor to log.

(config-sig-ip)# exit

(config-sig)# exit
Apply Changes?[yes]: yes

 

Automatic IP logging capture packets until one of those parameters above is reached.

Automat IP logging is configured on a per signature basis or as as event action override.

THe following actions trigger automatic logging:

  • log-attacker-packets
  • log-victim-packets
  • log-pair-packets

 

 MANUAL IP LOGGING

 

Besides automatic IP logging we can also set up manual ip logging whenever we want.

We set up manual ip logging from enable mode

#iplog "virtual sensor" "ip_address" [ bytes, duration, packets ]

bytes, duration and packets parameters are optional and we do not have to set them up however if we set them ip logging will last until first of parameters is reached.

example

# iplog danpol 149.121.230.62
Logging started for virtual sensor danpol, IP address 149.121.230.62, Log ID 909456435
Warning: IP Logging will affect system performance.

We set up logging for traffic to and from 149.121.230.62

1# iplog-status
Log ID: 909456435
IP Address 1: 149.121.230.62
Virtual Sensor: danpol
Status: started
Event ID: 0
Start Time: 2013/03/03 10:06:18 2013/03/03 10:06:18 GMT00:00
Bytes Captured: 0
Packets Captured: 0

iplog-status displays status of iplogging.

# iplog-status
Log ID: 909456435
IP Address 1: 149.121.230.62
Virtual Sensor: danpol
Status: completed
Event ID: 0
Start Time: 2013/03/03 10:06:18 2013/03/03 10:06:18 GMT00:00
End Time: 2013/03/03 10:16:11 2013/03/03 10:16:11 GMT00:00
Bytes Captured: 410277
Packets Captured: 856

 Captured packet can be downloaded for future analysis in Wireshark or similar tool like TCPDUMP.

The best option is to download it via GUI(IDM)

 

IPS-iplogging.png

 or copy to remote system via FTP or SCP

 

# copy iplog 909456435 ftp://user@ft-server
Server's IP Address: ip_address
Port[21]:
File name: iplog-909456435
Password: *********

 

 STOPPING IP LOGGING


If we want to stop iplogging(manually enabled or automatically) we can do it by typing:

# no iplog log-id 909456435  (for one log)

# no iplog (all iplogging)

# no ip log sensor (all iplogging for sensor) - on ASA AIP-SSM there is only one but for normal IPS like 4270 you can have up to four

 This command only stops iplogging but does not remove iplog file.Only iplog in  "added" state is removed.

 

 dzbanek 2013-03-03

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.