Monitoring the Sensor [Cisco IPS 4200 Series Sensors]

Table Of Contents

Monitoring the Sensor

Denied Attackers

Overview

Supported User Role

Field Definitions

Monitoring the Denied Attackers List

Configuring IP Logging

Overview

Supported User Role

Field Definitions

IP Logging Panel

Add and Edit IP Logging Dialog Boxes

Configuring IP Logging

Monitoring the Sensor

This chapter describes how to monitor and clear the denied attackers list, and how to configure and download IP logs. It contains the following sections:

•Denied Attackers

•Configuring IP Logging

Denied Attackers

This section describes how to configure the denied attackers list, and contains the following topics:

•Overview

•Supported User Role

•Field Definitions

•Monitoring the Denied Attackers List

Overview

The Denied Attackers panel displays all IP addresses and the hit count for denied attackers. You can reset the hit count for all IP addresses or clear the list of denied attackers.

Supported User Role

The following user roles are supported:

•Administrator

•Operator

•Viewer

You must be Administrator to monitor and clear the denied attackers list.

Field Definitions

The following fields and buttons are found on the Denied Attackers panel.

Field Descriptions:

•IP Address—IP address of the host that the sensor is denying.

•Hit Count—Displays the hit count for that denied attacker.

Button Functions:

•Reset All Hit Counts—Clears the hit count for the denied attackers.

•Clear List—Clears the list of the denied attackers.

•Refresh—Refreshes the contents of the panel.

Monitoring the Denied Attackers List

To view the list of denied attackers and their hit counts, follow these steps:

Step 1 Click Monitoring > Denied Attackers.

The Denied Attackers panel appears.

Step 2 Click Refresh to refresh the list.

Step 3 Click Reset All Hit Counts to have the hit count start over.

Step 4 Click Clear List to clear the entire list of denied attackers.

Configuring IP Logging

The simplest IP logging consists of an IP address. You can configure the sensor to capture all IP traffic associated with a host you specify by IP address. The sensor begins collecting as soon as it sees the first IP packet with this IP address and continues collecting depending on the parameters that you have set. You can specify in minutes how long you want the IP traffic to be logged at the IP address, and/or how many packets you want logged, and/or how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify.

Log files are in one of three states:

•Added—When IP logging is added

•Started—When the sensor sees the first packet, the log file is opened and placed into the Started state.

•Completed—When the IP logging limit is reached.

The number of files in all three states is limited to 20. The IP logs are stored in a circular buffer that is never filled because new IP logs overwrite the old ones.

Note Logs remain on the sensor until the sensor reclaims them. You cannot manage IP log files on the sensor.

You can copy IP log files to an FTP or SCP server so that you can view them with a sniffing tool such as WireShark or TCPDump. The files are stored in PCAP binary form with the pcap file extension.

Caution Turning on IP logging slows system performance.

This section contains the following topics:

•Overview

•Supported User Role

•Field Definitions

•Configuring IP Logging

Overview

The IP Logging panel displays all IP logs that are available for downloading on the system.

IP logs are generated in two ways:

•When you add IP logs in the Add IP Logging dialog box

•When you select one of the following as the event action for a signature:

–Log Attacker Packets

–Log Pair Packets

–Log Victim Packets

When the sensor detects an attack based on this signature, it creates an IP log. The event alert that triggered the IP log appears in the IP logging table.

Supported User Role

The following user roles are supported:

•Administrator

•Operator

You must be Administrator or Operator to configure IP logging.

Field Definitions

This section lists the field definitions for IP logging, and contains the following topics:

•IP Logging Panel

•Add and Edit IP Logging Dialog Boxes

IP Logging Panel

The following fields and buttons are found on the IP Logging panel.

Field Descriptions:

•Log ID—ID of the IP log.

•IP Address—IP address of the host for which the log is being captured.

•Status—Status of the IP log.

Valid values are added, started, or completed.

•Event Alert—Event alert, if any, that triggered the IP log.

•Start Time—Timestamp of the first captured packet.

•Current End Time—Timestamp of the last captured packet.

There is no timestamp if the capture is not complete.

•Packets Captured—Current count of the packets captured.

•Bytes Captured—Current count of the bytes captured.

Button Functions:

•Add—Opens the Add IP Logging dialog box.

From this dialog box, you can add an IP log.

•Edit—Opens the Edit IP Logging box.

From this dialog box, you can change the values associated with this IP log.

•Download—Applies your changes and saves the revised configuration.

•Stop—Stops capturing for an IP log that is started.

•Refresh—Refreshes the contents of the table.

Add and Edit IP Logging Dialog Boxes

The following fields and buttons are found in the Add and Edit IP Logging dialog boxes.

Field Descriptions:

•IP Address—IP address of the host for which the log is being captured.

•Maximum Values—Lets you set the values for IP logging.

–Duration—Maximum duration to capture packets.

The range is 1 to 60 minutes.

–Packets—Maximum number of packets to capture.

The range is 1 to 4294967295 packets. This field is optional.

–Bytes—Maximum number of bytes to capture.

The range is 0 to 4294967295 bytes. This field is optional.

Button Functions:

•Apply—Accepts your changes and closes the dialog box.

•Cancel—Discards your changes and closes the dialog box.

•Help—Displays the help topic for this feature.

Configuring IP Logging

To log IP traffic for a particular host, follow these steps:

Step 1 Click Monitoring > IP Logging.

The IP Logging panel appears.

Step 2 Click Add to add IP logging.

The Add IP Logging dialog box appears.

Step 3 Type the IP address of the host from which you want IP logs to be captured.

You receive an error message if a capture is being added that exists and is in the Added or Started state.

Step 4 Type how many minutes you want IP logs to be captured in the Duration field.

Step 5 (Optional) Type how many packets you want to be captured in the Packets field.

Step 6 (Optional) Type how many bytes you want to be captured in the Bytes field.

Step 7 Click Apply to apply your changes and save the revised configuration.

The IP log with a log ID appears in the list on the IP Logging panel.

Step 8 To edit an existing log entry in the list, select it, and click Edit.

The Edit IP Logging dialog box appears.

Step 9 Edit the duration you want packets to be captured.

Step 10 Click Apply to apply your changes and save the revised configuration.

The edited IP log appears in the list on the IP Logging panel.

Step 11 To stop IP logging, select the log ID for the log you want to stop and click Stop.

The Stop IP Logging dialog box appears.

Step 12 Click OK to stop IP logging for that log.

Step 13 To download an IP log, select the log ID, and click Download.

The Save As dialog box appears.

Step 14 Save the log to your local machine. You can view it with WireShark.


	Monitoring the Sensor
	Download this chapter Monitoring the Sensor Feedback Table Of Contents Monitoring the Sensor Denied Attackers Overview Supported User Role Field Definitions Monitoring the Denied Attackers List Configuring IP Logging Overview Supported User Role Field Definitions IP Logging Panel Add and Edit IP Logging Dialog Boxes Configuring IP Logging Monitoring the Sensor This chapter describes how to monitor and clear the denied attackers list, and how to configure and download IP logs. It contains the following sections: •Denied Attackers •Configuring IP Logging Denied Attackers This section describes how to configure the denied attackers list, and contains the following topics: •Overview •Supported User Role •Field Definitions •Monitoring the Denied Attackers List Overview The Denied Attackers panel displays all IP addresses and the hit count for denied attackers. You can reset the hit count for all IP addresses or clear the list of denied attackers. Supported User Role The following user roles are supported: •Administrator •Operator •Viewer You must be Administrator to monitor and clear the denied attackers list. Field Definitions The following fields and buttons are found on the Denied Attackers panel. Field Descriptions: •IP Address—IP address of the host that the sensor is denying. •Hit Count—Displays the hit count for that denied attacker. Button Functions: •Reset All Hit Counts—Clears the hit count for the denied attackers. •Clear List—Clears the list of the denied attackers. •Refresh—Refreshes the contents of the panel. Monitoring the Denied Attackers List To view the list of denied attackers and their hit counts, follow these steps: Step 1 Click Monitoring > Denied Attackers. The Denied Attackers panel appears. Step 2 Click Refresh to refresh the list. Step 3 Click Reset All Hit Counts to have the hit count start over. Step 4 Click Clear List to clear the entire list of denied attackers. Configuring IP Logging The simplest IP logging consists of an IP address. You can configure the sensor to capture all IP traffic associated with a host you specify by IP address. The sensor begins collecting as soon as it sees the first IP packet with this IP address and continues collecting depending on the parameters that you have set. You can specify in minutes how long you want the IP traffic to be logged at the IP address, and/or how many packets you want logged, and/or how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify. Log files are in one of three states: •Added—When IP logging is added •Started—When the sensor sees the first packet, the log file is opened and placed into the Started state. •Completed—When the IP logging limit is reached. The number of files in all three states is limited to 20. The IP logs are stored in a circular buffer that is never filled because new IP logs overwrite the old ones. Note Logs remain on the sensor until the sensor reclaims them. You cannot manage IP log files on the sensor. You can copy IP log files to an FTP or SCP server so that you can view them with a sniffing tool such as WireShark or TCPDump. The files are stored in PCAP binary form with the pcap file extension. Caution Turning on IP logging slows system performance. This section contains the following topics: •Overview •Supported User Role •Field Definitions •Configuring IP Logging Overview The IP Logging panel displays all IP logs that are available for downloading on the system. IP logs are generated in two ways: •When you add IP logs in the Add IP Logging dialog box •When you select one of the following as the event action for a signature: –Log Attacker Packets –Log Pair Packets –Log Victim Packets When the sensor detects an attack based on this signature, it creates an IP log. The event alert that triggered the IP log appears in the IP logging table. Supported User Role The following user roles are supported: •Administrator •Operator You must be Administrator or Operator to configure IP logging. Field Definitions This section lists the field definitions for IP logging, and contains the following topics: •IP Logging Panel •Add and Edit IP Logging Dialog Boxes IP Logging Panel The following fields and buttons are found on the IP Logging panel. Field Descriptions: •Log ID—ID of the IP log. •IP Address—IP address of the host for which the log is being captured. •Status—Status of the IP log. Valid values are added, started, or completed. •Event Alert—Event alert, if any, that triggered the IP log. •Start Time—Timestamp of the first captured packet. •Current End Time—Timestamp of the last captured packet. There is no timestamp if the capture is not complete. •Packets Captured—Current count of the packets captured. •Bytes Captured—Current count of the bytes captured. Button Functions: •Add—Opens the Add IP Logging dialog box. From this dialog box, you can add an IP log. •Edit—Opens the Edit IP Logging box. From this dialog box, you can change the values associated with this IP log. •Download—Applies your changes and saves the revised configuration. •Stop—Stops capturing for an IP log that is started. •Refresh—Refreshes the contents of the table. Add and Edit IP Logging Dialog Boxes The following fields and buttons are found in the Add and Edit IP Logging dialog boxes. Field Descriptions: •IP Address—IP address of the host for which the log is being captured. •Maximum Values—Lets you set the values for IP logging. –Duration—Maximum duration to capture packets. The range is 1 to 60 minutes. –Packets—Maximum number of packets to capture. The range is 1 to 4294967295 packets. This field is optional. –Bytes—Maximum number of bytes to capture. The range is 0 to 4294967295 bytes. This field is optional. Button Functions: •Apply—Accepts your changes and closes the dialog box. •Cancel—Discards your changes and closes the dialog box. •Help—Displays the help topic for this feature. Configuring IP Logging To log IP traffic for a particular host, follow these steps: Step 1 Click Monitoring > IP Logging. The IP Logging panel appears. Step 2 Click Add to add IP logging. The Add IP Logging dialog box appears. Step 3 Type the IP address of the host from which you want IP logs to be captured. You receive an error message if a capture is being added that exists and is in the Added or Started state. Step 4 Type how many minutes you want IP logs to be captured in the Duration field. Step 5 (Optional) Type how many packets you want to be captured in the Packets field. Step 6 (Optional) Type how many bytes you want to be captured in the Bytes field. Step 7 Click Apply to apply your changes and save the revised configuration. The IP log with a log ID appears in the list on the IP Logging panel. Step 8 To edit an existing log entry in the list, select it, and click Edit. The Edit IP Logging dialog box appears. Step 9 Edit the duration you want packets to be captured. Step 10 Click Apply to apply your changes and save the revised configuration. The edited IP log appears in the list on the IP Logging panel. Step 11 To stop IP logging, select the log ID for the log you want to stop and click Stop. The Stop IP Logging dialog box appears. Step 12 Click OK to stop IP logging for that log. Step 13 To download an IP log, select the log ID, and click Download. The Save As dialog box appears. Step 14 Save the log to your local machine. You can view it with WireShark.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks