Cisco Anomaly Guard Module Web-Based Manager Configuration Guide (Software Version 6.1 and 6.1-XG)
Monitoring Network Traffic and Extracting Attack Signatures
Download this chapter
Monitoring Network Traffic and Extracting Attack SignaturesMonitoring Network Traffic and Extracting Attack Signatures
Download the complete book
Cisco Anomaly Guard Module Web-Based Manager Configuration Guide (Software Version 6.1 and 6.1-XG) Book-Length PDFCisco Anomaly Guard Module Web-Based Manager Configuration Guide (Software Version 6.1 and 6.1-XG) Book-Length PDF (PDF - 5 MB)
give_us_feedback

Table Of Contents

Monitoring Network Traffic and Extracting Attack Signatures

Understanding Packet-Dump Capture

Enabling Automatic Packet-Dump Capture

Disabling Automatic Packet-Dump Capture

Activating Manual Packet-Dump Captures

Starting a Manual Packet-Dump Capture

Stopping a Manual Packet-Dump Capture

Viewing Packet-Dump Captures

Viewing the Packet-Dump Capture List

Viewing the Packet-Dump Capture Details

Changing the Packet-Dump Capture Details Screen View

Comparing Two Packet-Dump Captures

Managing Packet-Dump Capture Files

Renaming a Manual Packet-Dump Capture File

Copying a Packet-Dump Capture File

Exporting Packet-Dump Capture Files

Importing Packet-Dump Capture Files

Deleting Packet-Dump Capture Files

Extracting and Using Signatures from Packet-Dump Captures

Extracting an Attack Signature from a Packet-Dump Capture

Adding an Attack Signature to a Flex-Content Filter

Using an Attack Signature as a Display Pattern for Displaying Packet-Dump Captures


Monitoring Network Traffic and Extracting Attack Signatures

This chapter describes how to record and observe zone traffic patterns by using the packet-dump capture function, which provides nonintrusive network taps.

This chapter contains the following sections:

Understanding Packet-Dump Capture

Enabling Automatic Packet-Dump Capture

Disabling Automatic Packet-Dump Capture

Activating Manual Packet-Dump Captures

Viewing Packet-Dump Captures

Managing Packet-Dump Capture Files

Extracting and Using Signatures from Packet-Dump Captures

Understanding Packet-Dump Capture

You can configure the Cisco Anomaly Guard Module (Guard module) to record traffic directly from the network through nonintrusive taps and create a database from the recorded traffic. By querying the recorded traffic database, you can analyze past events, generate signatures of an attack, or compare current network traffic patterns with traffic patterns that the Guard module recorded previously under normal traffic conditions.

You can configure filters so that the Guard module records only traffic that meets certain criteria or you can record all traffic data and filter the traffic information that the Guard module displays.

The Guard module saves the traffic in a PCAP format, which is compressed and encoded by the gzip (GNU zip) program with an accompanying file in an Extensible Markup Language (XML) format that describes the recorded data.

From the recorded traffic, you can determine if there are any common patterns or signatures that appear in the payload of the attack packets. The Guard module can analyze the recorded traffic and extract a signature, which you can use to configure a flex-content filter to block all traffic containing the packet payloads that match the signature.

The Guard module can record the traffic as follows:

Automatically—Continuously records traffic data in packet-dump capture files.

New packet-dump capture files replace any previously recorded capture files. To save previously recorded packet-dump capture files, you must export them to a network server.

Manually—Records traffic in packet-dump capture files when you activate a recording session.

New packet-dump capture files replace previously recorded capture files. To save a previously recorded capture file, export the file to a network server before you activate a new recording session.

You can activate only one manual packet-dump capture at a time for a zone, but you can activate the manual packet-dump capture and the automatic packet-dump capture simultaneously. The Guard module can perform manual recording sessions for up to four zones simultaneously.

The Guard module allocates, by default, 20-MB disk space for manual packet-dump capture files of all zones. It can save up to 80 MB of manual and automatic packet-dump capture files of all zones. You must delete old files to free the disk space for additional packet-dump capture files.

Enabling Automatic Packet-Dump Capture

You can enable the automatic packet-dump feature to allow the Guard module to record the zone traffic. The Guard module records traffic in a capture buffer during zone protection or learning. When the capture buffer size reaches 20 MB, or after 10 minutes have elapsed, the Guard module saves the buffered information to a local file in a compressed format, clears the buffer, and then continues recording traffic. New packet-dump capture files replace the previous ones. To save previous packet-dump capture files, you must export them to a File Transfer Protocol (FTP) server (see the "Exporting Packet-Dump Capture Files" section).

Note The Guard module can perform the packet-dump automatic capture function on a maximum of four zones concurrently. If you activate learning or zone protection for a fifth zone that has the automatic capture function enabled, the Guard module activates the zone but does not perform the capture function and it issues a syslog stating that no capture for the zone will be performed.

The Guard module can create up to three different types of capture files during the capture time period, depending on which of the following ways it handles the packets:

Forwarded: Source IP addresses of the legitimate traffic that the Guard module forwarded to the zone.

Dropped: Source IP addresses of the malicious traffic that the Guard module dropped.

Replied: Destination IP addresses of the traffic that the Guard module anti-spoofing and anti-zombie functions send back to the source in a verification attempt.

When only a forwarded packet-dump capture file exists, it indicates that the zone was not under attack during the time of the capture. An attack on the zone is indicated when the Guard module also creates dropped and replied capture files. Within each of the three types of packet-dump capture files, the Guard module provides an IP summarization, which is a summary of the most frequently detected IP addresses (according to the volume of traffic).

The IP summarization information that the Guard module presents in a replied packet-dump capture file enables you to determine the source of a spoofed attack. The Guard module also pulls this information from the capture file and displays it in the zone attack report under the heading Replied IP Summarization (see "Understanding the Replied IP Summarization Information" section in Chapter 10, "Monitoring Guard Module and Zone Operations"). To ensure accurate replied IP summarization results, you must leave the packet dump capture function enabled during the length of the attack on the zone. If you disable the packet-dump capture function during the attack, the replied IP summarization information may not display or may not be accurate. The Guard module can display replied IP summarization information in the attack report only when you have the packet-dump automatic capture function enabled (no replied IP summarization information displays for manually activated packet-pump captures).

Note The IP summarization process is resource consuming. When resources become low, the Guard module suspends the process and issues a log message that appears in the zone log. The capture xml file will contain a status attribute stating that the capture file has no IP summarization information due to a failure.

The Guard module applies a naming convention to automatic packet-dump capture files that provides information about when the Guard module recorded the traffic and how it handled the traffic. Table 11-1 describes the sections of the automatic packet-dump capture filename.

Table 11-1 Sections of the Automatic Packet-Dump Capture Filename 

Section
Description

Function/Zone Name

Zone function that the Guard module was performing at the time of the packet-dump capture and the zone name. The zone functions are as follows:

protect—The Guard module recorded the traffic during zone protection.

learn—The Guard module recorded the traffic during the zone learning process or the protect and learning process.

Capture start time

Time that the Guard module started recording the traffic.

Capture end time

(Optional) Time that the Guard module finished recording the traffic. If the Guard module is currently recording the traffic to the file, the end time is not displayed.

Dispatch

Method that the Guard module used to handle the traffic. This method can be one of the following:

forwarded—The Guard module identified traffic as legitimate and forwarded it to the zone.

dropped—The Guard module identified traffic as malicious and dropped it.

replied—The Guard module sent replies to the initiating client as part of the anti-spoofing or anti-zombie functions in order to verify whether the packets are part of authentic traffic or part of an attack.


The Guard module saves one packet-dump capture file from the learning process and the following two types of packet-dump capture files when zone protection is enabled:

Traffic from the previous 10 minutes

Current traffic

When you activate zone protection or activate the Guard module to automatically record network traffic, the Guard module erases all previous packet-dump capture files that it recorded during the protection process and creates new ones.

To enable the automatic packet-dump feature, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Configuration > General. The General screen appears, displaying the current zone configuration.

Step 3 Click Config. The Config screen appears.

Step 4 From the Packet-Dump Parameters area of the Zone form, click On.

Step 5 Click OK to save the automatic packet-dump setting. The Guard module begins recording all the zone traffic.

Disabling Automatic Packet-Dump Capture

You can disable the automatic packet-dump feature to stop the Guard module from recording the zone traffic.

To disable the automatic packet-dump feature, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Configuration > General. The General screen appears, displaying the current zone configuration.

Step 3 Click Config. The Config screen appears.

Step 4 From the Packet-Dump Parameters area of the Zone form, click Off.

Step 5 Click OK to disable the automatic packet-dump. The Guard module stops recording the zone traffic.

Activating Manual Packet-Dump Captures

You can manually activate the Guard module to record zone traffic and create a capture file, enabling you to capture traffic during a specific period of time. You can also specify the types of traffic that the Guard module records as follows:

Forwarded: Legitimate traffic that the Guard module forwarded to the zone.

Dropped: Malicious traffic that the Guard module dropped.

Replied: Traffic that the Guard module anti-spoofing and anti-zombie functions send back to the source in a verification attempt.

All: Forwarded, dropped, and replied traffic.

Within the forwarded, dropped, and replied types of packet-dump capture files, the Guard module provides an IP summarization, which is a summary of the most frequently detected source IP addresses (according to the volume of traffic). The Guard module does not provide an IP summarization for capture files containing all traffic types.

Note The IP summarization process is resource consuming. When resources become low, the Guard module suspends the process and issues a log message that appears in the zone log. The capture xml file will contain a status attribute stating that the capture file has no IP summarization information due to a failure.

The Guard module stops recording traffic and saves the manual packet-dump capture to a file when the specified number of packets have been recorded or when either the learning process or zone protection have ended.

The Guard module allocates by default, 20 MB of disk space for manual packet-dump capture files of all zones. It can save up to 80 MB of manual and automatic packet-dump capture files of all zones. To free disk space for additional packet-dump capture files, delete any packet-dump capture files that you no longer need (see the "Deleting Packet-Dump Capture Files" section).

You can activate only one manual packet-dump capture at a time for a zone, but you can activate the manual packet-dump capture and the automatic packet-dump capture simultaneously. The Guard module can record manual packet-dump captures for up to 10 zones simultaneously.

This section contains the following topics:

Starting a Manual Packet-Dump Capture

Stopping a Manual Packet-Dump Capture

Starting a Manual Packet-Dump Capture

The zone must be active (learning zone traffic or protecting the zone) before you can start a manual packet-dump capture.

To start a manual packet-dump capture, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Start Packet-Dump. The Start Packet-Dump screen appears.

Step 3 Configure the parameters of the packet-dump capture.

Table 11-2 describes the parameters listed in the Start Packet-Dump form.

Table 11-2 Start Packet-Dump Form Parameters 

Parameter
Description

Capture name

Name for the packet-dump capture file. Enter an alphanumeric string from 1 to 63 characters. The string can contain underscores but cannot contain spaces.

Packet-Dump filter

(Optional) Filter that you apply to specify the traffic to record. The Guard module captures only traffic that complies with the filter expression. The expression syntax is identical to the syntax of the flex-content filter expression (see the "Understanding the Flex-Content Expression Syntax" section in Chapter 5, "Configuring Zone Filters").

Dispatch value

Zone traffic that the Guard module captures. Choose one of the following traffic types from the drop-down list:

all—Captures all traffic.

dropped—Captures only traffic that the Guard module dropped.

forwarded—Captures only legitimate traffic that the Guard module forwards on to the zone.

replied—Captures only the traffic that the Guard module anti-spoofing and anti-zombie features send back to the source in a verification attempt.

Sample rate

Sample rate in packets per second. Enter a value from 1 to 10000.

The Guard module supports a maximum accumulated packet-dump capture rate of 10000 packets per second for all concurrent manual captures.

A packet-dump capture configured with a high Sample Rate value consumes Guard module resources. We recommend that you use high-rate values cautiously.

Number of packets

Number of packets to record. When the Guard module records the number or packets that you specify, it stops the manual packet-dump capture and saves the information in the capture buffer to a file. Enter an integer from 1 to 5000.


Step 4 Click OK to start the manual packet-dump capture.

Stopping a Manual Packet-Dump Capture

The Guard module stops a manual packet-dump capture when it records the number of packets that you specified when you activated the capture. However, you can stop a manual packet-dump capture before the Guard module records the specified number of packets.

To stop a manual packet-dump capture, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Stop Packet-Dump. The Guard module stops the manual packet-dump capture.

Viewing Packet-Dump Captures

This section describes how to view a list of packet-dump capture files, view the content of a single packet-dump capture file, and how to compare the results of two packet-dump captures.

This section contains the following topics:

Viewing the Packet-Dump Capture List

Viewing the Packet-Dump Capture Details

Changing the Packet-Dump Capture Details Screen View

Comparing Two Packet-Dump Captures

Viewing the Packet-Dump Capture List

To view the list of packet-dump capture files, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-Dump List screen appears.

Table 11-3 describes the fields of the packet-dump list.

Table 11-3 Packet-Dump List 

Field
Description

Name

Name of the packet-dump capture file.

Start Time

Date and time that the packet-dump capture began.

Stop Time

Date and time that the packet-dump capture ended.

Type

Type of the packet-dump capture, which can be automatic or manual.

Size

Size of the file generated by the packet-dump capture.

Packet Dump Filter

User-defined filter that the Guard module used when recording traffic. The filter is in TCPDump format. The expression syntax is identical to the syntax of the flex-content filter expression (see the "Understanding the Flex-Content Expression Syntax" section in Chapter 5, "Configuring Zone Filters").

Dispatch

Traffic type that the Guard module recorded. The traffic type can be one of the following:

All—All traffic.

Dropped—Traffic that the Guard module dropped.

Forwarded—Legitimate traffic that the Guard module forwards on to the zone.

Replied—Traffic that the Guard module anti-spoofing and anti-zombie functions sent back to the source in a verification attempt.


Table 11-4 describes the function buttons of the Packet-Dump List screen.

Table 11-4 Packet-Dump List Function Buttons 

Button
Description

Stop/Start

Controls the manual packet-dump operation. This button toggles between Stop and Start depending on the current operating status of the manual packet-dump feature:

Start—Begins a manual packet-dump capture. This button displays only when no manual packet-dump capture is currently running.

Stop—Ends the current manual packet-dump capture. This button displays only when a manual packet-dump capture is currently running.

View

Displays detailed information of one or two packet-dump capture files (see the "Viewing the Packet-Dump Capture Details" and "Comparing Two Packet-Dump Captures" sections).

Rename

Changes the name of a packet-dump capture file (see the "Renaming a Manual Packet-Dump Capture File" section).

Copy

Copies a packet-dump capture file (see the "Copying a Packet-Dump Capture File" section).

Export/Import

Exports or imports a packet-dump capture file (see the "Exporting Packet-Dump Capture Files" and "Importing Packet-Dump Capture Files" sections).

Delete

Deletes a packet-dump capture file (see the "Deleting Packet-Dump Capture Files" section).


Viewing the Packet-Dump Capture Details

To view the details of a packet-dump capture, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-Dump List screen appears.

Step 3 Check the check box next to the packet-dump capture that you want to view, and then click View.

The Packet-Dump capture analysis screen appears. For information about applying a screen filter to the information displayed, see the "Changing the Packet-Dump Capture Details Screen View" section.

Table 11-5 describes the information that the Guard module displays in the Capture and View parameter areas of the Packet-Dump Capture Analysis screen.

Table 11-5 Packet-Dump Capture and View Parameters 

Screen Area
Parameter
Description

Capture parameters

Name

Name of the capture file.

Start time

Time that the capture started.

End time

Time that the capture ended.

Packets

Number of packets that the capture file contains.

Packet Dump filter

User-defined filter that the Guard module used when recording traffic. The filter is in TCPDump format. The expression rules are identical to the Flex-content filter expression rules.

Dispatch

Traffic type that the Guard module recorded:

All—All traffic.

Dropped—Traffic that the Guard module dropped.

Forwarded—Legitimate traffic that the Guard module forwarded on to the zone.

Replied—Traffic that the Guard module anti-spoofing and anti-zombie functions sent back to the source in a verification attempt.

View Parameters

Query

Data profile that the Guard module uses to display the capture information:

Top 20: SrcIP / DstIP / SrcPort / DstPort / Protocol

Distribution: SrcIP / DstIP / SrcPort / DstPort / SrcReservedPorts / DstReservedPorts / Protocol / TTL / Length

Packets list

See Table 11-7 for details about the information that the Guard module displays for each of the query types.

Display filter

Filter that the Guard module uses when displaying the packet-dump capture file. The Guard module displays only the portion of the packet-dump capture file that matches the filter criteria. The expression rules are identical to the flex-content filter expression rules.


The IP Summarization table, located under the View Parameters section, displays information on the most frequently detected IP addresses recorded in the packet-dump capture. Table 11-6 describes the fields that display in the IP Summarization table.

Note If you display two packet-dump captures to do a comparison of the two captures (see the "Comparing Two Packet-Dump Captures" section), the IP summarization table does not display.

Table 11-6 Field Descriptions for the IP Summarization Table

Field
Description

Subnet

Most frequently detected IP addresses of the recorded packet type. For forwarded and dropped packet types, the IP addresses listed are the packet source IP addresses. For replied packet types, the IP addresses are the packet destination IP addresses.

Subnet Mask

Subnet mask of the recorded packet type (forwarded, dropped, or replied).

Weight (%)

Percentage of samples recorded by the Guard module that came from the subnet IP address out of the total number of recorded samples.

Unique Addresses

Number of unique addresses belonging to the subnet.


Table 11-7 describes the Capture Parameter information that the Guard module displays, which varies based on the type of query that you select (see the "Changing the Packet-Dump Capture Details Screen View" section).

Table 11-7 Capture Parameters Table and Graph Details 

Query Type
Parameter
Description

Top 20/Criteria

The Criteria can be one of the following:

SrcIP

DstIP

SrcPort

DstPort

Protocol

#

Sequential number that the Guard module assigned to each incident that it recorded during the packet-dump capture.

Key

IP address, port number, or protocol number, which varies based on the query type that you chose.

Packets

Number of packets in the packet-dump capture.

%

Percentage of packets in the packet-dump capture that fit the criteria.

Distribution/Criteria

The Criteria can be one of the following:

SrcIP

DstIP

SrcPort

DstPort

SrcReservedPorts

DstReservedPorts

Protocol

TTL

Length

x-axis

Units of the distribution attribute that you chose, such as the IP address, the port number, or the protocol number.

y-axis

Number of packets.

Packets List

#

Sequential number that the Guard module assigned to each incident that it recorded during the packet-dump capture.

Time

Time that the packet-dump was captured.

ScrIp

Source IP address of the packets.

ScrPort

Source port of the packets.

DstIp

Destination IP address of the packets.

DstPort

Destination port of the packets.

Protocol

Protocol number of the packets.

Info

Additional information on the packets.


Note To sort the information in a Top 20 table and a Packets List table based on the column information, click on the table column header.

The Packet-Dump capture analysis screen contains the following buttons:

Change View—Changes the view parameters (see the "Changing the Packet-Dump Capture Details Screen View" section).

Save—Saves a copy of the packet-dump capture to a different filename (see the "Copying a Packet-Dump Capture File" section).

Extract Signatures—Extracts the traffic signature from the packet-dump capture (see the "Extracting an Attack Signature from a Packet-Dump Capture" section).

Changing the Packet-Dump Capture Details Screen View

To change the view of the Packet-Dump Capture details screen, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-Dump List screen appears.

Step 3 Click Change View. The Change Packet-Dump View Parameters window opens.

Step 4 Configure the viewing parameters of the packet-dump capture. Table 11-8 describes the parameters of the Change Packet-Dump View Parameters form.

Table 11-8 Change Packet-Dump View Parameters 

Parameter
Description

Query

Data profile to display. Choose one of the following profiles from the Query drop-down list:

TOP 20: SrcIP / DstIP / SrcPort / DstPort / Protocol— Groups the packets based on the criteria that you chose and then displays 20 groups with the highest values. For example, if you choose the display criteria to be Src IP, the Guard module groups the packets based on the source IP address and then displays information about the 20 source IP addresses that appeared the highest number of times. The information displays in a table format.

Distribution: SrcIP / DstIP / SrcPort / DstPort / SrcReservedPorts / DstReservedPorts / Protocol / TTL / Length—Displays a graph indicating how the packets are distributed across the criteria that you defined.

Packet View—Displays packet details, such as source and destination IP addresses, and source and destination ports. The information displays in a table format.

The profile determines the format of the display (table or graph).

Display filter

(Optional) User-defined filter that specifies which packets to display. The Guard module displays only the portion of the packet-dump capture file that matches the filter criteria. The expression rules are identical to the flex-content filter TCPDump expression rules (see the "Understanding the Flex-Content Expression Syntax" section in Chapter 5, "Configuring Zone Filters").

Display Pattern

(Optional) Regular expression data pattern to match with the packet content. The Guard module displays only the portion of the packet-dump capture file that matches the pattern criteria. The pattern rules are identical to the flex-content pattern rules (see the "Understanding the Flex-Content Filter Pattern Syntax" section in Chapter 5, "Configuring Zone Filters"). Enter the display pattern to use.

You can also use an attack signature as the Display Pattern. See the "Using an Attack Signature as a Display Pattern for Displaying Packet-Dump Captures" section for more information.

Start Offset

(Optional) Offset, in bytes, from the beginning of the packet payload where the pattern matching begins. The default is 0 (the start of the payload). The Start Offset parameter applies only if you enter a pattern in the Display Pattern field. Enter the start offset to use.

End Offset

(Optional) Offset, in bytes, from the beginning of the packet payload where the pattern-matching ends. The default is the packet length (the end of the payload). The End Offset parameter applies only if you enter a pattern in the Display Pattern field. Enter the end offset to use.


Step 5 Click OK to change the packet-dump display. The Guard module updates the packet-dump capture details screen based on the view parameters that you chose.

Comparing Two Packet-Dump Captures

To compare the details of two packet-dump captures, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-Dump List screen appears.

Step 3 Check the check box next to the packet-dump capture that you want to view as the base capture.

Step 4 Check the check box next to the packet-dump capture that you want to view as the reference capture.

Step 5 Click View. The Packet-Dump capture analysis screen appears, displaying the details of the base and reference packet-dump captures.

Step 6 (Optional) Click Swap Base and Reference to switch the two packet captures, making the base capture the reference capture and the reference capture the base capture. Use this function when extracting a signature (the Guard module extracts the signature from the base capture). For information about extracting a signature, see the "Extracting and Using Signatures from Packet-Dump Captures" section.

For a description of the information that the Guard module displays in the Packet-Dump capture analysis screen, see the "Viewing the Packet-Dump Capture Details" section.

Managing Packet-Dump Capture Files

This section contains the following topics:

Renaming a Manual Packet-Dump Capture File

Copying a Packet-Dump Capture File

Exporting Packet-Dump Capture Files

Importing Packet-Dump Capture Files

Deleting Packet-Dump Capture Files

Renaming a Manual Packet-Dump Capture File

You can rename a manual packet-dump capture file, but you cannot rename an automatic packet-dump capture file. To change the name of an automatic packet-dump capture file, you must copy the file (see the "Copying a Packet-Dump Capture File" section).

To rename a manual packet-dump capture, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-Dump List screen appears.

Step 3 Check the check box next to the packet-dump capture that you want to rename, and then click Rename. The Rename window opens.

Step 4 In the New name field, enter a new name for the packet-dump capture file. The name is an alphanumeric string from 1 to 63 characters and can contain underscores and dashes but cannot contain spaces.

Step 5 Click OK to save the packet-dump capture using the new name.

Copying a Packet-Dump Capture File

You can copy a packet-dump capture file (or a portion of a file) under a new name. Because the Guard module overwrites existing automatic packet-dump capture files with new ones, the copy option enables you to save an automatic packet-dump capture file for use at a later time. When you copy an automatic packet-dump capture file or a manual packet-dump capture file, the Guard module saves them as manual files and does not delete the original packet-dump capture file. You must manually delete them if you need to free disk space (see the "Deleting Packet-Dump Capture Files" section).

To copy a packet-dump capture file, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-dump List screen appears.

Step 3 Check the check box next to the packet-dump capture that you want to copy, and then click Copy. The Packet-Dump capture analysis screen appears.

Step 4 In the New name field, enter a new name for the packet-dump capture file. The name is an alphanumeric string from 1 to 63 characters and can contain underscores and dashes but cannot contain spaces.

Step 5 (Optional) Define the filter that the Guard module uses to copy the packet-dump capture file. The Guard module copies only the portion of the packet-dump capture file that matches the filter criteria. The expression rules are identical to the flex-content filter expression rules (see the "Understanding the Flex-Content Expression Syntax" section in Chapter 5, "Configuring Zone Filters").

Step 6 Click OK to save the packet-dump capture using the new name.

You can also copy a file by displaying the packet-dump capture details (see the "Viewing the Packet-Dump Capture Details" section) and then click Save. The Guard module saves the portion of the files that is displayed. If you configure a filter that the Guard module uses to display the packet-dump capture file, the Guard module uses the same filter to save the portion of the packet-dump capture file that matches the filter criteria.

Exporting Packet-Dump Capture Files

You can manually export packet-dump capture files to a network server that uses FTP, Secure File Transfer Protocol (SFTP), or Secure Copy Protocol (SCP) to transfer files. You can export a single packet-dump capture file or all packet-dump capture files of a specific zone. The Guard module exports the packet-dump capture files in a PCAP format, which is compressed and encoded by the gzip (GNU zip) program with an accompanying file in an XML format that describes the recorded data. See the Capture.xsd file that accompanies the version for a description of the XML schema.

You can download the .xsd files that accompany the version from the Software Center at http://www.cisco.com/public/sw-center/.

To export a packet-dump capture, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-dump List screen appears.

Step 3 Check the check box next to the packet-dump capture files that you want to export, and then click Export. The Export File Server Parameters window opens.

To choose all of the packet-dump captures, check the check box in the table header.

Step 4 From the Select File Server Parameters form, choose the network server to use:

Use automatic export file server definitions—Exports the packet-dump capture files to the network servers that you defined in the Guard module configuration by using the CLI export packet-dump command.

Use the following server definition—Exports the packet-dump capture files to the network server that you define. Enter the following network server information:

Transfer method—Transfer protocol to use. The transfer method can be one of the following:

FTP—Specifies FTP.

SFTP—Specifies SFTP.

SCP—Specifies SCP.

Because SFTP and SCP rely on Secure Shell (SSH) for their secure transport, if you do not configure the key that the Guard module uses for the secure communication before you export attack reports to an SFTP or SCP server, the Guard module prompts you for the password. You must use the Guard module CLI to configure the key for SFTP and SCP.

Address—IP address of the network server.

Path—Complete pathname where the Guard module saves the packet-dump capture files. If you do not specify a path, the network server saves the packet-dump capture files in your home directory.

Username—Network server login name. The username argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

Password—(Optional) Password for the remote FTP server. If you enter a username but do not enter a password, the Guard module prompts you for the password.

Step 5 Click OK to export the packet-dump capture files to the network server.

Importing Packet-Dump Capture Files

You can import packet-dump capture files from a network server to the Guard module to analyze past events or to compare current network traffic patterns with traffic patterns that the Guard module recorded previously under normal traffic conditions. The Guard module imports a packet-dump capture file in both XML and PCAP formats.

To import a packet-dump capture, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-dump List screen appears.

Step 3 Click Import. The Import FTP Server Parameters window opens.

Step 4 In the File Name field, enter the complete path and filename, excluding the file extension, of the file to import. If you do not specify a path, the server copies the file from your home directory.

Note Do not specify the file extension because it will cause the import process to fail.

Step 5 From the Select File Server Parameters form, choose the network server to use:

Use automatic export file server definitions—Imports the packet-dump capture files from the network servers that you defined in the Guard module configuration by using the CLI export packet-dump command.

Use the following server definition—Imports the packet-dump capture files from the network server that you define. Enter the following network server information:

Transfer method—Transfer protocol to use. The transfer method can be one of the following:

FTP—Specifies FTP.

SFTP—Specifies SFTP.

SCP—Specifies SCP.

Because SFTP and SCP rely on SSH for their secure transport, if you do not configure the key that the Guard module uses for the secure communication before you export attack reports to an SFTP or SCP server, the Guard module prompts you for the password. You can only configure the key for SFTP and SCP using the Guard module CLI.

Address—IP address of the network server.

Path—Complete pathname from where the Guard module imports the packet-dump capture files. If you do not specify a path, the network server copies the packet-dump capture file from your home directory.

Username—Network server login name. The username argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

Password—(Optional) Password for the remote FTP server. If you enter a username but do not enter a password, the Guard module prompts you for the password.

Step 6 Click OK to import the packet-dump capture file from the network server.

Deleting Packet-Dump Capture Files

The Guard module allocates by default, 20 MB of disk space for manual packet-dump capture files of all zones. It can save up to 80 MB of manual and automatic packet-dump capture files of all zones. To free disk space for additional packet-dump capture files, delete the old ones.

You can save a maximum of 10 packet-dump capture files on the Guard module. You must delete old manual packet-dump capture files to allow space for new files.

To delete a packet-dump capture, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-dump List screen appears.

Step 3 Check the check box next to the packet-dump captures that you want to delete, and then click Delete. The Guard module deletes the packet-dump capture files.

To choose all of the packet-dump captures, choose the check box in the table header.

Extracting and Using Signatures from Packet-Dump Captures

An attack signature describes the common pattern that appears in the payload of attack packets. You can activate the Guard module to generate the signature of anomalous traffic and then use this information to quickly identify future attacks of the same type. This feature allows you to detect new Distributed Denial of Service (DDoS) attacks and Internet worms, even before signatures are published (for example, from antivirus software companies or mailing lists).

The Guard module generates the attack signature using the flex-content filter pattern expression syntax. You can use this signature in the flex-content filter pattern to filter out anomalous traffic. See the "Understanding the Flex-Content Filter Pattern Syntax" section in Chapter 5, "Configuring Zone Filters.".

You can specify an additional packet-dump capture file that the Guard module recorded during normal traffic conditions as a reference. If you specify a reference packet-dump capture file, the Guard module generates the signature from the anomalous traffic and specifies the percentage of time that the signature is present in traffic that was recorded during normal traffic conditions.If the attack signature appears in a high percentage of the normal traffic recording, the signature may not be an accurate representation of the attack pattern.

This section contains the following topics:

Extracting an Attack Signature from a Packet-Dump Capture

Adding an Attack Signature to a Flex-Content Filter

Using an Attack Signature as a Display Pattern for Displaying Packet-Dump Captures

Extracting an Attack Signature from a Packet-Dump Capture

To extract an attack signature from a packet-dump capture file, perform the following steps:

Step 1 From the navigation pane, choose a zone. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Packet-Dump > Packet-Dump List. The Packet-dump List screen appears.

Step 3 Check the check box next to the packet-dump capture from which to extract the signature.

Step 4 (Optional) Check the check box next to the packet-dump capture that you want to use as a reference. The reference should be a capture file of traffic that was recorded during normal traffic conditions.

Step 5 Click View. The Packet-Dump Capture Analysis screen appears.

Step 6 (Optional) Click Swap Base and Reference to switch the two packet captures, making the base capture the reference capture, and the reference capture the base capture. The Guard module extracts the signature from the base capture.

Step 7 Click Extract Signatures. The Guard module extracts the signatures from the base packet-dump capture and opens the Packet-Dump Signature Extraction window.

Table 11-9 describes the signature information that the Guard module displays in the Packet-Dump Signature Extraction window.

Table 11-9 Packet-Dump Signature Extraction Parameters 

Parameter
Description

Capture name

Name of the packet-dump capture from which the Guard module extracted the signature.

Pattern

List of the patterns (in an abbreviated format) that the Guard module extracted from the packet-dump capture. Move the mouse over the pattern to display the complete pattern.

Start offset

Offset, in bytes, from the beginning of the packet payload, where the pattern matching begins. The default is 0, which is the start of the payload.

End offset

Offset, in bytes, from the beginning of the packet payload, where the pattern matching ends. The default is the packet length, which is the end of the payload.

% Reference

Percentage of time that the signature is present in the reference capture file.


To add one of the signatures that the Guard module displays to a flex-content filter, see the "Adding an Attack Signature to a Flex-Content Filter" section.

Adding an Attack Signature to a Flex-Content Filter

The Guard module allows you to create a flex-content filter using a signature that it extracts from the packet-dump capture. You can then use the flex-content filter to block the zone traffic that matches the attack signature.

To add an attack signature to a flex-content filter, perform the following steps:

Step 1 Extract the signatures from a packet-dump capture. See the "Extracting an Attack Signature from a Packet-Dump Capture" for more information.

Step 2 From the Packet-Dump Signature Extraction window, choose the signature that you want to use in the flex-content filter, and then click Insert Content Filter. The Flex-Content Filters > Add Filter - Step 2 screen appears.

Step 3 Configure the flex-content filter parameters. Table 11-10 describes the filter parameters listed in the Flex-Content Filter form.

Table 11-10 Flex-Content Filter Parameters 

Parameter
Description

Description

Text describing the flex-content filter.

Protocol

Processes traffic using a specific protocol. Enter a protocol number from 0 to 255. To specify any protocol type, enter an asterisk (*).

Refer to the Internet Assigned Numbers Authority (IANA) website for a list of valid protocol numbers:

http://www.iana.org/assignments/protocol-numbers

Dst Port

Processes traffic flowing to a specific destination port. Enter a destination port number from 0 to 65535. To specify any destination port, enter an asterisk (*).

Refer to the Internet Assigned Numbers Authority (IANA) website for a list of valid port numbers:

http://www.iana.org/assignments/port-numbers

Expression

Filters traffic based on the specified expression (see the "Understanding the Flex-Content Expression Syntax" section in Chapter 5, "Configuring Zone Filters"). Enter the expression to use.

Pattern

Specifies the regular expression data pattern that is to be matched with the packet content (see the "Understanding the Flex-Content Filter Pattern Syntax" section in Chapter 5, "Configuring Zone Filters"). Enter the data pattern to use.

Match Case

Specifies whether the pattern expression that the filter matches is case sensitive or not case sensitive. Check the check box to define the data pattern expression as case sensitive.

Start Offset

Specifies the offset (in bytes) from the beginning of the packet content where the pattern matching begins. The default is 0, which is the start of the payload. The start offset applies to the pattern field. Enter an integer from 0 to 2047.

End Offset

Specifies the offset (in bytes) from the beginning of the packet content where the pattern matching ends. The default is the packet length, which is the end of the payload. The end offset applies to the pattern field. Enter an integer from 0 to 2047.

Action

Specifies the action that the flex-content filter performs on the traffic. Choose one of the following actions from the Action drop-down list:

count—Counts the traffic flow packets that match the filter.

drop—Drops the traffic flow packets that match the filter.

State

Specifies the operating state of the flex-content filter. Choose one of the following operating states from the State drop-down list:

enable—The Guard module applies the filter to the traffic flow and executes the configured action on the flow that matches the filter.

disable—The Guard module does not apply the filter to the traffic flow.


Step 4 Click OK to save the new flex-content filter.

Using an Attack Signature as a Display Pattern for Displaying Packet-Dump Captures

The Guard module allows you to filter the packet-dump capture display using a signature that it extracts from the packet-dump capture.

To use an attack signature as a display pattern for displaying packet-dump captures, perform the following steps:

Step 1 Extract the signatures from a packet-dump capture. See the "Extracting an Attack Signature from a Packet-Dump Capture" for more information.

Step 2 From the Packet-Dump Signature Extraction window, choose the signature that you want to use as the display pattern, and then click Use as View Filter. The Packet-Dump Capture analysis screen appears.

Table 11-11 describes the information that the Guard module displays in the Capture and View parameter areas of the Packet-Dump capture analysis screen.

Table 11-11 Packet-Dump Capture and View Parameters 

Screen Area
Parameter
Description

Capture parameters

Name

Name of the capture file.

Start time

Time that the capture started.

End time

Time that the capture ended.

Packets

Number of packets that the capture file contains.

Packet Dump filter

User-defined filter that the Guard module used when recording traffic. The filter is in TCPDump format. The expression rules are identical to the flex-content filter expression rules.

Dispatch

Traffic type that the Guard module recorded:

All—All traffic.

Dropped—Traffic that the Guard module dropped.

Forwarded—Legitimate traffic that the Guard module forwarded on to the zone.

Replied—Traffic that the Guard module anti-spoofing and anti-zombie functions sent back to the source in a verification attempt.

View Parameters

Query

Data profile that the Guard module uses to display the capture information:

Top 20: SrcIP / DstIP / SrcPort / DstPort / Protocol

Distribution: SrcIP / DstIP / SrcPort / DstPort / SrcReservedPorts / DstReservedPorts / Protocol / TTL / Length

Packets list

See Table 11-7 for details about the information that the Guard module displays for each of the query types.

Display filter

Filter that the Guard module uses when displaying the packet-dump capture file. The Guard module displays only the portion of the packet-dump capture file that matches the filter criteria. The expression rules are identical to the flex-content filter expression rules.


Table 11-12 describes the capture information that the Guard module displays, which varies based on the type of query that you choose (see the "Changing the Packet-Dump Capture Details Screen View" section).

Table 11-12 Capture Parameters Table and Graph Details 

Query Type
Parameter
Description

Top 20/Criteria

The Criteria can be one of the following:

SrcIP

DstIP

SrcPort

DstPort

Protocol

#

Sequential number that the Guard module assigned to each incident that it recorded during the packet-dump capture.

Key

IP address, port number, or protocol number, which varies based on the query type that you chose.

Packets

Number of packets in the packet-dump capture.

%

Percentage of packets in the packet-dump capture that fit the criteria.

Distribution/Criteria

The Criteria can be one of the following:

SrcIP

DstIP

SrcPort

DstPort

SrcReservedPorts

DstReservedPorts

Protocol

TTL

Length

x-axis

Units of the distribution attribute that you select, such as IP address, port number, or protocol number.

y-axis

Number of packets.

Packets List

#

Sequential number that the Guard module assigned to each incident that it recorded during the packet-dump capture.

Time

Time that the packet-dump was captured.

ScrIp

Source IP address of the packets.

ScrPort

Source port of the packets.

DstIp

Destination IP address of the packets.

DstPort

Destination port of the packets.

Protocol

Protocol number of the packets.

Info

Additional information on the packets.


Note To sort the information in a Top 20 table and a Packets List table based on the column information, click on the table column header.