How to create extended packet captures for a specific vulnerability

by Lucky on ‎07-19-2016 05:40 AM (9,215 Views)

Sometimes we suspect Vulnerability signature is triggered for benign activities and we want to collect more information so we can submit "False Positive Review" request. Instead of creating general policy to collect extended packet captures for a specific severity of vulnerability, as described in a configuration article found here, sometimes we need to create extended captures only for the specific purpose of submitting false positive report.


For such action, we need to create a specific Vulnerability Protection Rule within the Vulnerability Protection Profile we are using (by editing applicable Vulnerability Protection Profile or cloning 'default' or 'strict' profiles, as those cannot be edited).
When we create a new Vulnerability Protection Rule we need to set following minimum:


Rule Name: ext-capt+alert for SMB Vuln 
Threat Name: Microsoft SMB Client Response Parsing Vulnerability
Action: alert
Packet Capture: extended-capture
Host Type: any
Category: any
Severity: any
CVE: any
Vendor ID: any

Please note we used "Microsoft SMB Client Response Parsing Vulnerability" only as an example; you should replace this with the name of vulnerability for which you are trying to create extended captures.


As seen in the screenshot:

Screen Shot 2016-07-08 at 09.53.46.png


Once we created such Vulnerability Protection Rule, we need to move it to the top of your Vulnerability Protection Profile:

Screen Shot 2016-07-08 at 09.54.00.png


Finally, we need to apply that specific Vulnerability Protection Profile in the Security Policy Rule treating source/destination where we have seen false positives occur.

Once you collected extended captures and submitted False Positive report, you can easily remove / disable this Vulnerability Protection Profile in the Security Policy Rule until you need it the next time.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community