Packet capture for specific ip like signature match

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Packet capture for specific ip like signature match

L4 Transporter

Hi,

I have configured DNS sinkhole feature. The sinkholing is working fine with providing and blocking fake ip. The only problem is that although I can get the original client ip connecting to the fake ip, I cannot find the payload (url/resource being requested). Is there any way I can capture packets like spyware/vulnerability etc? I checked into these objects however did not find an option of matching on destination ip address.

2 REPLIES 2

L1 Bithead

Hi,

I haven't tried this myself yet, but you might be able to do it based on the following article, if you have a seperate rule for the sinkhole traffic: How to Capture Traffic (PCAP) Hitting a Specific Rule

Edit: On 2nd thought, in the Anti-Spyware Profile -> DNS Signatures -> where you configure the action as 'sinkhole' there is an option to configure an extended pcap - does this not work?

Roland

L4 Transporter

Hello Sly_Cooper,

Since most people set up a fictious IP address as their sinkhole IP address, there is no host on the other end. Any tcp traffic would not make it past the initial syn requests. In order to capture some traffic, the destination host would have to be listening on the applicable port and get past the three way handshake.  The data folowing that would be what you are looking for. A sinkhole is just a destination for traffic to go to, it's main benefit is identify infected hosts based on seeing the traffic attempts to the destination IP address of the sinkhole.

Hope this helps,

Phil

  • 2279 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!