How to capture IPS packets for false positive analyzing?

Zyxel_Cooldia Posts: 1,462  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer


IPS false positive occurs when the IPS detects an activity as malicious, which is identified mistakenly as an attack. Sometimes it would have negative impact for business. If we would like to report false positive event/ID to Zyxel support, we need to provide related information/log for analyzing. This demonstration illustrates how to capture IPS packets for false positive analyzing.


Before we perform packet capture on firewall, please update to the latest IPS signature version.

Click “IPS update” at CONFIGURATION > Signature Update > Signature.

Make sure it is the latest version, and click “ok”.

In this demonstration, we download eicar file from a LAN host (ID:112012).

Step 1. SSH to firewall, and type following CLI to enable IPS packet capture for signature ID 112012.

Router# idp packet-capture enable

Router# idp packet-capture select enable

Router# idp packet-capture select add-id 112012

Step 2. Reproduce the issue by running the same application/software in LAN host.

In this lab test, we download eicar file in a Linux host by CLI


As we can see, it is failure to download eicar file. Session was reset by IPS module.

Step 3. Make sure if application/software is blocked by IPS signature ID 112012.

Go to MONITOR > Log > View Log to see if it has IPS blocked log.

Step 4. Download packet files and match rule list file.

Go to Diagnostics > Packet Capture > Files and download those "zyidp" files

Step 5. Remove signature ID 112012, and disable IPS packet capture.

Router> idp packet-capture disable

Router> idp packet-capture select del-id 112012

Router> idp packet-capture select disable

We can check status by CLI below to see if it is disable.

Router> idp packet-capture show status

After actions above are completed, please provide following information to Zyxel for false positive analyzing.

1.    Firmware version

2.    IPS signature version

3.    Packet trace files and match rule list