- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-24-2012 11:04 AM
I'm a recent Cisco ASA convert. I'm in an academic environment so bittorrent (and P2P in general) is permitted. We get an occasional DMCA takedown request. Finding the culprit in the ASA world was pretty straightforward: grep the syslog for the NATed port and see if there was a match near the alleged infringement time. I'm having a difficult time figuring out how to identify alleged infringers in Palo Alto land.
This sample notice contains the only material I have to work with from the copyright holder:
INFRINGEMENT DETAIL
- ------------------------------
Infringing Work : AVENGERS (2012), THE
Filename : The Avengers 2012 HQ TS[ [Eng subs when needed P1RAT3-RG
First found (UTC): 2012-10-23T11:30:51.56Z
Last found (UTC): 2012-10-23T11:33:00.20Z
Filesize : 1789259900 bytes
IP Address: 64.80.225.13
IP Port: 36028
Network: BitTorrent
Protocol: BitTorrent
I was thinking that searching the traffic log for ( port.dst eq 36028 ) and ( time_generated leq '2012/10/23 08:00:00' ) (we're GMT -4) would do the trick. Plenty of bittorrent application matches but I haven't found anything close to the time. This has been the case for each takedown notice received since my PA installation.
Ideas of where I'm going wrong?
Rand
10-24-2012 12:55 PM
Using port.dst and port.src (or just port) will give you the pre-natted information. If you're looking for logs that match up with an entity on the public Internet, then you'll want to use queries like this:
(natsport eq 36028) and (natdport eq 36028)
Generally speaking, most outbound NAT implementations don't modify the destination port - so try it with (natsport eq 36028) and see if that works.
10-24-2012 12:41 PM
Hi...Maybe you can change the query to match on src or dst port ( port eq 36028 ). Thanks.
10-24-2012 12:55 PM
Using port.dst and port.src (or just port) will give you the pre-natted information. If you're looking for logs that match up with an entity on the public Internet, then you'll want to use queries like this:
(natsport eq 36028) and (natdport eq 36028)
Generally speaking, most outbound NAT implementations don't modify the destination port - so try it with (natsport eq 36028) and see if that works.
10-24-2012 01:38 PM
Respond to that threat by asking for srcip and srcport used on their side (and when they replies with this information you can search for it as dstip and dstport in PA logs).
If they refuse to answer then throw this threat to /dev/null.
10-25-2012 05:16 AM
(natsport eq 36028) worked great. Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!