I'm a recent Cisco ASA convert. I'm in an academic environment so bittorrent (and P2P in general) is permitted. We get an occasional DMCA takedown request. Finding the culprit in the ASA world was pretty straightforward: grep the syslog for the NATed port and see if there was a match near the alleged infringement time. I'm having a difficult time figuring out how to identify alleged infringers in Palo Alto land.
This sample notice contains the only material I have to work with from the copyright holder:
Infringing Work : AVENGERS (2012), THE
Filename : The Avengers 2012 HQ TS[ [Eng subs when needed P1RAT3-RG
First found (UTC): 2012-10-23T11:30:51.56Z
Last found (UTC): 2012-10-23T11:33:00.20Z
Filesize : 1789259900 bytes
IP Address: 22.214.171.124
IP Port: 36028
I was thinking that searching the traffic log for ( port.dst eq 36028 ) and ( time_generated leq '2012/10/23 08:00:00' ) (we're GMT -4) would do the trick. Plenty of bittorrent application matches but I haven't found anything close to the time. This has been the case for each takedown notice received since my PA installation.
Ideas of where I'm going wrong?
Solved! Go to Solution.
Using port.dst and port.src (or just port) will give you the pre-natted information. If you're looking for logs that match up with an entity on the public Internet, then you'll want to use queries like this:
(natsport eq 36028) and (natdport eq 36028)
Generally speaking, most outbound NAT implementations don't modify the destination port - so try it with (natsport eq 36028) and see if that works.
Respond to that threat by asking for srcip and srcport used on their side (and when they replies with this information you can search for it as dstip and dstport in PA logs).
If they refuse to answer then throw this threat to /dev/null.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!