Agree with Dameon that IPS packet captures are the best way to figure out false positives, however there are definitely some things to be aware of when taking packet captures with IPS, the following is from my IPS Immersion class:
• Note that specifying a Packet Capture to be taken every time an IPS Protection is matched differs depending on the GATEWAY version.
• For R77.XX gateways, the setting is located on the IPS Protection itself.
• For R80.10+ gateways, the setting is located in the Track field of the TP policy rule.
• The packet capture can be downloaded from the IPS log entry itself on the Logs & Monitor tab in the SmartConsole; format will be EML containing a pcap.
• The first time a ThreatCloud IPS Protection is matched and the logging of it is not suppressed (i.e. a completely new IPS log entry is created), a packet capture will automatically be taken by default regardless of the settings on the prior page.
• Note that unless a packet capture is called for at all times on the IPS Protection itself (R77.XX gateway) or the Track column of the TP policy (R80.10+) gateway, only one packet capture per ThreatCloud IPS Protection will be stored by default. So only the latest non–suppressed log entry for a ThreatCloud IPS Protection will have a packet capture available by default.
• Typically the packet captured will be only the single “offending” packet and not include any prior packets in the stream, unless the attack pattern spanned more than one packet.
• Packet Captures are not supported on Gaia Embedded appliances (models 600–1400).
• Specifying Packet Capture in the Track field of a TP rule applied to a R77.XX gateway will NOT cause the IPS blade to take packet captures for all ThreatCloud IPS Protections that are matched. The Packet Capture checkbox must still be selected directly on the desired IPS Protection(s) for an R77.XX gateway.
• For R77.XX gateways, the IPS packet captures are stored locally on the gateway itself in directory $FWDIR/log/captures_repository. By default up to 500 MBytes of disk storage may be consumed by packet captures in a rotating buffer.
• For R80.10+ gateways, IPS packet captures are automatically transferred to the Log Server (usually the SMS or CMA) and stored in the $FWDIR/log/forensics and /var/spool/mail directories.
• For IPS Core Activations and Inspection Settings, packet captures will not be taken at all regardless of gateway version, unless the Capture Packets checkbox is explicitly set on the configuration screen of the individual Core Activation or Inspection Setting itself.
| User | Count |
|---|---|
| 4 | |
| 3 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Mon 25 Nov 2024 @ 02:00 PM (EST)
(Americas) AI Series Part 3: Maximizing AI to Drive Growth and EfficiencyTue 26 Nov 2024 @ 10:00 AM (CET)
EMEA Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 26 Nov 2024 @ 03:00 PM (CET)
Navigating NIS2: Practical Steps for Aligning Security and ComplianceTue 26 Nov 2024 @ 05:00 PM (CET)
Discover the Future of Cyber Security: What’s New in Check Point’s Quantum R82Tue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopTue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsMon 25 Nov 2024 @ 02:00 PM (EST)
(Americas) AI Series Part 3: Maximizing AI to Drive Growth and EfficiencyTue 26 Nov 2024 @ 10:00 AM (CET)
EMEA Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 26 Nov 2024 @ 03:00 PM (CET)
Navigating NIS2: Practical Steps for Aligning Security and ComplianceTue 26 Nov 2024 @ 05:00 PM (CET)
Discover the Future of Cyber Security: What’s New in Check Point’s Quantum R82Tue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopWed 04 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 2: Cloud Risk Management Workshop
