How to capture IPS packets for false positive analyzing?
IPS false positive occurs when the IPS detects an activity as malicious, which is identified mistakenly as an attack. Sometimes it would have negative impact for business. If we would like to report false positive event/ID to Zyxel support, we need to provide related information/log for analyzing. This demonstration illustrates how to capture IPS packets for false positive analyzing.
Before we perform packet capture on firewall, please update to the latest IPS signature version.
Click “IPS update” at CONFIGURATION > Signature Update > Signature.
Make sure it is the latest version, and click “ok”.
In this demonstration, we download eicar file from a LAN host (ID:112012).
Step 1. SSH to firewall, and type following CLI to enable IPS packet capture for signature ID 112012.
Router# idp packet-capture enable
Router# idp packet-capture select enable
Router# idp packet-capture select add-id 112012
Step 2. Reproduce the issue by running the same application/software in LAN host.
In this lab test, we download eicar file in a Linux host by CLI
As we can see, it is failure to download eicar file. Session was reset by IPS module.
Step 3. Make sure if application/software is blocked by IPS signature ID 112012.
Go to MONITOR > Log > View Log to see if it has IPS blocked log.
Step 4. Download packet files and match rule list file.
Go to Diagnostics > Packet Capture > Files and download those "zyidp" files
Step 5. Remove signature ID 112012, and disable IPS packet capture.
Router> idp packet-capture disable
Router> idp packet-capture select del-id 112012
Router> idp packet-capture select disable
We can check status by CLI below to see if it is disable.
Router> idp packet-capture show status
After actions above are completed, please provide following information to Zyxel for false positive analyzing.
1. Firmware version
2. IPS signature version
3. Packet trace files and match rule list
- 7.8K All Categories
- 1.6K Nebula
- 55 Nebula Ideas
- 53 Nebula Status and Incidents
- 4.3K Security
- 217 Security Ideas
- 908 Switch
- 40 Switch Ideas
- 807 WirelessLAN
- 16 WLAN Ideas
- 5K Consumer Product
- 131 Service & License
- 260 News and Release
- 88 Success Stories
- 49 Security Advisories
- 6 Education Center
- 573 FAQ
- 273 Nebula FAQ
- 132 Security FAQ
- 73 Switch FAQ
- 72 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Nebula Monthly Express
- 67 About Community
- 40 Security Highlight