How to do the custom packet capture for vulnerability signatures analysis

How to do the custom packet capture for vulnerability signatures analysis

9402
Created On 10/22/21 17:04 PM - Last Modified 09/09/22 13:46 PM


Objective


To collect the decrypted full packet capture for the analysis to vulnerability signature in case of False Positive or False Negative. 
Full packet capture is essential to reproduce the issue in our lab environment. 

Environment


  • Palo Alto Firewall
  • Any PAN-OS 

Procedure


  • Although we have a low false positive or False Negative rate for vulnerability protection(IPS signature) we still see some cases when we have either misidentified a threat or missed it. 
  • In False Positive cases,  we need full decrypted packet capture; in the case of False Negative, we need both full decrypted packet capture and relevant threat logs. 
Step-1: Packet capture.
  1. Extended threat packet capture: 
  • The spyware signatures can be analyzed by extended threat packet capture in most cases except a few. How to enable the extended threat packet capture can be found at Taking a threat packet capture. For vulnerability signature, sometimes the extended threat packet can be useful.
  1. Traffic capture on the endpoint:
  • One can capture the traffic on the endpoints either on the client or server. The HTTPS traffic can be decrypted SSL using a browser (chrome or Firefox) and Wireshark, How to decrypt SSL is an article that explains it.
  • For not SSL traffic, it can be captured on the client or server.
  1. Capturing on the Firewall monitor tab:
  • Define the packet capture criteria as narrow as possible. 
    • For example,  select Ingress Interface, Source IP address, Destination IP address, source port, destination port, protocol ( ICMP, IPV4, RDP, IGMP), source port, and destination port. The selection also goes to Non-IP or IPv6. 
    • Limit the capture on byte count and packet count
  • Make sure decryption is enabled on the interesting traffic 
  • Enable the Decryption port mirror to capture the traffic. Configure Decryption Port Mirroring explains the steps. 
Step-2: Threat logs
  • When taking the packet capture, please take the associated threat and traffic logs. We need threat logs because we use threat logs to match the packet that actually triggered the threat. 
Step-3: Extra information in case of pen testing
  • In case you are doing a pen test or using the external testing device, please provide the following information
    • The name of the device and software version
    • Some devices, such as breaking point and mu-dynamic, facilitate capture on themselves; please take capture on testing devices. 
  • If you are using a pen-testing tool that needs a license, such as Cobal Strick, it would be best if the customer provided the capture.
  • Please add your Firewall PAN-OS version and the current vulnerability installed on the Firewall.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004M4YCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language