Agree with Dameon that IPS packet captures are the best way to figure out false positives, however there are definitely some things to be aware of when taking packet captures with IPS, the following is from my IPS Immersion class:
• Note that specifying a Packet Capture to be taken every time an IPS Protection is matched differs depending on the GATEWAY version.
• For R77.XX gateways, the setting is located on the IPS Protection itself.
• For R80.10+ gateways, the setting is located in the Track field of the TP policy rule.
• The packet capture can be downloaded from the IPS log entry itself on the Logs & Monitor tab in the SmartConsole; format will be EML containing a pcap.
• The first time a ThreatCloud IPS Protection is matched and the logging of it is not suppressed (i.e. a completely new IPS log entry is created), a packet capture will automatically be taken by default regardless of the settings on the prior page.
• Note that unless a packet capture is called for at all times on the IPS Protection itself (R77.XX gateway) or the Track column of the TP policy (R80.10+) gateway, only one packet capture per ThreatCloud IPS Protection will be stored by default. So only the latest non–suppressed log entry for a ThreatCloud IPS Protection will have a packet capture available by default.
• Typically the packet captured will be only the single “offending” packet and not include any prior packets in the stream, unless the attack pattern spanned more than one packet.
• Packet Captures are not supported on Gaia Embedded appliances (models 600–1400).
• Specifying Packet Capture in the Track field of a TP rule applied to a R77.XX gateway will NOT cause the IPS blade to take packet captures for all ThreatCloud IPS Protections that are matched. The Packet Capture checkbox must still be selected directly on the desired IPS Protection(s) for an R77.XX gateway.
• For R77.XX gateways, the IPS packet captures are stored locally on the gateway itself in directory $FWDIR/log/captures_repository. By default up to 500 MBytes of disk storage may be consumed by packet captures in a rotating buffer.
• For R80.10+ gateways, IPS packet captures are automatically transferred to the Log Server (usually the SMS or CMA) and stored in the $FWDIR/log/forensics and /var/spool/mail directories.
• For IPS Core Activations and Inspection Settings, packet captures will not be taken at all regardless of gateway version, unless the Capture Packets checkbox is explicitly set on the configuration screen of the individual Core Activation or Inspection Setting itself.
| User | Count |
|---|---|
| 4 | |
| 3 | |
| 2 | |
| 2 | |
| 1 | |
| 1 |
Tue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
