Palo Alto Networks Knowledgebase: How to create extended packet captures for a specific vulnerability
How to create extended packet captures for a specific vulnerability
Created On 09/26/18 13:39 PM - Last Updated 09/26/18 14:00 PM
Sometimes we suspect Vulnerability signature is triggered for benign activities and we want to collect more information so we can submit "False Positive Review" request. Instead of creating general policy to collect extended packet captures for a specific severity of vulnerability, as described in a configuration article found here, sometimes we need to create extended captures only for the specific purpose of submitting false positive report.
For such action, we need to create a specific Vulnerability Protection Rule within the Vulnerability Protection Profile we are using (by editing applicable Vulnerability Protection Profile or cloning 'default' or 'strict' profiles, as those cannot be edited). When we create a new Vulnerability Protection Rule we need to set following minimum:
Rule Name: ext-capt+alert for SMB Vuln Threat Name: Microsoft SMB Client Response Parsing Vulnerability Action: alert Packet Capture: extended-capture Host Type: any Category: any Severity: any CVE: any Vendor ID: any
Please note we used "Microsoft SMB Client Response Parsing Vulnerability" only as an example; you should replace this with the name of vulnerability for which you are trying to create extended captures.
As seen in the screenshot:
Once we created such Vulnerability Protection Rule, we need to move it to the top of your Vulnerability Protection Profile:
Finally, we need to apply that specific Vulnerability Protection Profile in the Security Policy Rule treating source/destination where we have seen false positives occur.
Once you collected extended captures and submitted False Positive report, you can easily remove / disable this Vulnerability Protection Profile in the Security Policy Rule until you need it the next time.