- Preface
- Introducing the CLI Configuration Guide
- Logging In to the Sensor
- Initializing the Sensor
- Setting Up the Sensor
- Configuring Interfaces
- Configuring the Virtual Sensor
- Configuring Event Action Rules
- Defining Signatures
- Configuring Anomaly Detection
- Configuring Global Correlation
- Configuring External Product Interfaces
- Configuring IP Logging
- Configuring and Capturing Live Traffic on an Interface
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Configuring SNMP
- Working With Configuration Files
- Administrative Tasks for the Sensor
- Configuring the ASA 5500 AIP SSM
- Configuring the ASA 5500-X IPS SSP
- Configuring the ASA 5585-X IPS SSP
- Understanding Cisco IPS Software
- Upgrading, Downgrading, and Installing System Images
- System Architecture
- Signature Engines
- Troubleshooting
- CLI Error Messages
- Open Source License Files
- Glossary
- Index
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.1
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- October 22, 2014
Chapter: Configuring IP Logging
Configuring IP Logging
This chapter describes how to configure IP logging on the sensor. It contains the following sections:
IP Logging Notes and Caveats
The following notes and caveats apply to IP logging:
- Enabling IP logging slows down system performance.
- IP logging allows a maximum limit of 20 concurrent IP log files. Once the limit of 20 is reached, you receive the following message in main.log:
Cid/W errWarnIpLogProcessor::addIpLog: Ran out of file descriptors. - You cannot delete or manage IP log files. The no iplog command does not delete IP logs, it only stops more packets from being recorded for that IP log. IP logs are stored in a circular buffer that is never filled because new IP logs overwrite old ones.
- You can configure IP logging restrictions using the permit-packet-logging true | false command.
- On IPS sensors with multiple processors (for example, the IPS 4260 and IPS 4270-20), packets may be captured out of order in the IP logs and by the packet command. Because the packets are not processed using a single processor, the packets can become out of sync when received from multiple processors.
For detailed information about the packet-related command restrictions, see Configuring Packet Command Restriction.
Understanding IP Logging
You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify.
You can also have the sensor log IP packets every time a particular signature is fired. You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged.
You can copy the IP logs from the sensor and have them analyzed by a tool that can read packet files in a libpcap format, such as Wireshark or TCPDUMP.
Note
Each alert references IP logs that are created because of that alert. If multiple alerts create IP logs for the same IP address, only one IP log is created for all the alerts. Each alert references the same IP log. However, the output of the IP log status only shows the event ID of the first alert triggering the IP log.
Note IP logging allows a maximum limit of 20 concurrent IP log files. Once the limit of 20 is reached, you receive the following message in main.log: Cid/W errWarnIpLogProcessor::addIpLog: Ran out of file descriptors.
Configuring Automatic IP Logging
Use the ip-log-packets number , ip-log-time number , and ip-log-bytes number commands to configure automatic IP logging parameters on the sensor.
- ip-log-packets —Identifies the number of packets you want logged. The valid value is 0 to 65535. The default is 0.
- ip-log-time —Identifies the duration in seconds you want the sensor to log packets. The valid value is 30 to 300 seconds. The default is 30 seconds.
- ip-log-bytes —Identifies the maximum number of bytes you want logged. The valid value is 0 to 2147483647. The default is 0.
- default —Resets the parameters.
Note An automatic IP log continues capturing packets until one of these parameters is reached.
Automatic IP logging is configured on a per signature basis or as an event action override. The following actions trigger automatic IP logging:
Configuring Automatic IP Logging
To configure automatic IP logging parameters, follow these steps:
Log in to the CLI using an account with administrator or operator privileges.
Step 2 Enter signature definition IP log configuration submode.
sensor(config)# service signature-definition sig0
Step 3 Specify the number of packets you want the sensor to log. The range is 0 to 65535.
Step 4 Specify the duration in seconds you want the sensor to log packets. The range is 30 to 300 seconds.
Step 5 Specify the number of bytes you want logged. The range is 0 to 2147483647.
Step 7 Exit IP logging submode.
Step 8 Press Enter to apply the changes or type no to discard the changes.
- To copy and view an IP log file, see Copying IP Log Files to Be Viewed.
- For more information on event actions, see Assigning Actions to Signatures and Configuring Event Action Overrides.
Configuring Manual IP Logging for a Specific IP Address
Use the iplog name ip_address [ duration minutes ] [ packets numPackets ] [ bytes numBytes ] command to log IP packets manually on a virtual sensor for a specific IP address. The following options apply:
- name—Specifies the virtual sensor on which to begin and end logging.
- ip_address —Logs packets containing the specified source and/or destination IP address.
- minutes — Specifies the duration the logging should be active. The valid range is 1 to 60 minutes. The default is 10 minutes.
- numPackets — Specifies the maximum number of packets to log. The valid range is 0 to 4294967295. The default is 1000 packets.
- numBytes — Specifies the m aximum number of bytes to log. The valid range is 0 to 4294967295. A value of 0 indicates unlimited bytes.
Note The minutes, numPackets, and numBytes parameters are optional, you do not have to specify all three. However, if you include more than one parameter, the sensor continues logging only until the first threshold is reached. For example, if you set the duration to 5 minutes and the number of packets to 1000, the sensor stops logging after the 1000th packet is captured, even if only 2 minutes have passed.
To manually log packets on a virtual sensor for a specific IP address, follow these steps:
Log in to the CLI using an account with administrator or operator privileges.
Step 2 Start IP logging for a specific IP address. The range is 1 to 60 minutes.
The example shows the sensor logging all IP packets for 5 minutes to and from the IP address 192.0.2.1.
Note Make note of the Log ID for future reference.
Step 3 Monitor the IP log status with the iplog-status command.
Note Each alert references IP logs that are created because of that alert. If multiple alerts create IP logs for the same IP address, only one IP log is created for all the alerts. Each alert references the same IP log. However, the output of the IP log status only shows the event ID of the first alert triggering the IP log.
- To stop logging IP packets for a specific IP address, see Stopping Active IP Logs.
- To log IP packets as an event associated with a signature, see Configuring Automatic IP Logging.
- To copy and view an IP log file, see Copying IP Log Files to Be Viewed.
Displaying the Contents of IP Logs
Use the iplog-status [ log-id log_id ] [ brief ] [ reverse ] [ | { begin regular_expression | exclude regular_expression | include regular_expression }] command to display the description of the available IP log contents.
When the log is created, the status reads added . If and when the first entry is inserted in the log, the status changes to started . When the log is completed, because it reaches the packet count limit, for example, the status changes to completed .
- log_id —(Optional) Specifies the log ID of the file for which you want to see the status.
- brief —(Optional) Displays a summary of IP log status information for each log.
- reverse —(Optional) Displays the list in reverse chronological order (newest log first).
- |—(Optional) Indicates that an output processing specification follows.
- regular_expression —Specifies any regular expression found in the IP log status output.
- begin —Searches the output of the more command and displays the output from the first instance of a specified string.
- exclude —Filters the IP log status output so that it excludes lines that contain a particular regular expression.
- include —Filters the IP log status output so that it includes lines that contain a particular regular expression.
To view the contents of IP logs, follow these steps:
Log in to the CLI.
Step 2 Display the status of all IP logs.
Step 3 Display a brief list of all IP logs.
Stopping Active IP Logs
Use the no iplog [ log-id log_id | name name ] command to stop logging for the logs that are in the started state and to remove logs that are in the added state. The no iplog command does not remove or delete the IP log. It only signals to the sensor to stop capturing additional packets on that IP log.
Note Using the no iplog command on an added state IP log stops the IP log. The added state means that the IP log is still empty (no packets). Stopping it when there are no packets means you are stopping an empty IP log. An empty log is removed when it is stopped.
- log_id —Specifies the log ID of the logging session to stop. Use the iplog-status command to find the log ID.
- name— Specifies the virtual sensor on which to begin or end logging.
To disable one or all IP logging sessions, follow these steps:
Log in to the CLI using an account with administrator or operator privileges.
Step 2 Stop a particular IP logging session:
a. Find the log ID of the session you want to stop.
Note Each alert references IP logs that are created because of that alert. If multiple alerts create IP logs for the same IP address, only one IP log is created for all the alerts. Each alert references the same IP log. However, the output of the IP log status only shows the event ID of the first alert triggering the IP log.
Step 3 Stop all IP logging sessions on a virtual sensor.
Step 4 Verify that IP logging has been stopped. When the logs are stopped, the status shows them as completed.
Copying IP Log Files to Be Viewed
Use the copy iplog log_id destination_url command to copy IP log files to an FTP or SCP server so that you can view them with a sniffing tool such as Ethereal or tcpdump. The following options apply:
- log_id —Specifies the log ID of the logging session. You can retrieve the log ID using the iplog-status command.
- destination_url —Specifies the location of the destination file to be copied. It can be a URL or a keyword.
The exact format of the source and destination URLs varies according to the file. Here are the valid types:
ftp://[[username@] location]/relativeDirectory]/filename
ftp://[[username@]location]//absoluteDirectory]/filename
scp://[[username@] location]/relativeDirectory]/filename
scp://[[username@] location]//absoluteDirectory]/filename
When you use FTP or SCP protocol, you are prompted for a password.
To copy IP log files to an FTP or SCP server, follow these steps:
Log in to the CLI.
Step 2 Monitor the IP log status with the iplog-status command until you see that the status reads completed for the log ID of the log file that you want to copy.
Step 3 Copy the IP log to your FTP or SCP server.
Step 4 Open the IP log using a sniffer program such as Wireshark or TCPDUMP. For more information on Wireshark, go to http://www.wireshark.org . For more information on TCPDUMP, go to http://www.tcpdump.org/ .
Feedback