How to Enable Threat Packet Capture for a Specific Anti-Spyware Signature?
15036
Created On 04/02/19 10:18 AM - Last Modified 04/02/19 16:46 PM
Objective
Here is how to enable threat packet capture for a specific anti-spyware signature if setting packet capture for all signatures is not desirable.
Procedure
Step 1: Access the Exceptions Tab in the concerned anti-spyware profile. Enable Show all Signatures first and search for the Threat ID (e.g.,18927)
Step 2: Click the drop-down below the Packet Capture tab. The default option is "disable," select "single-packet" or "extended-capture" to enable packet capture for the specific Threat ID.
Step 3: Check the box under the Enable tab (must be checked for this to take effect). The important part to note is that the action mentioned under Exceptions for this Threat ID will take effect once this is checked, so ensure an appropriate action is set as well.
Click OK and perform a commit after this.
Step 4: PCAPs for Threat ID 18927 (for traffic matching a security policy where this anti-spyware profile is mapped) can be downloaded by clicking the Green Arrow next to the Threat ID under Monitor > Threat logs.
Additional Information
The same process can be followed for a specific Vulnerability Signature from the Exceptions tab in the Vulnerability Protection profile. This may not be appropriate for analyzing Vulnerability Signatures as we need a complete stream of PCAP in most cases to get more context regarding the exploit.