How to create extended packet captures for a specific vulnerability

How to create extended packet captures for a specific vulnerability

19511
Created On 09/26/18 13:39 PM - Last Modified 05/16/22 22:24 PM


Symptom


Sometimes we suspect a Vulnerability signature is triggered for benign activity and we want to collect more information so we can submit a "False Positive Review" request. Instead of creating general policy to collect extended packet captures for a specific severity of vulnerability, as described in a configuration article found here, sometimes we need to create extended captures only for the specific purpose of submitting a false positive report.
 

For such action, we need to create a specific Vulnerability Protection Exception within the Vulnerability Protection Profile we are using (by editing applicable Vulnerability Protection Profile or cloning 'default' or 'strict' profiles, as those cannot be edited).

Environment


PAN-OS >= 6.0

Cause


Some threat signatures are detected during SSL decryption and running a standard packet capture would only capture encrypted SSL packets.
 

This feature allows for the extraction of the packets that caused signature triggers, even when the original traffic is encrypted and subsequently decrypted by the firewall.

Without this feature, the last resource options for encrypted/decrypted traffic are

  • Implement a Decryption Port Mirror. The advantage with this option is that the decrypted packet capture can be exported and used for subsequent lab reproduction tests.
  • If the application front-end is a Web Browser, Decrypt the session extracting the TLS keys. The disadvantage with this option is that the decryption session is only readable in Wireshark, and the decrypted packet capture cannot be exported.
Resources:
Configure Decryption Port Mirroring
HOW TO DECRYPT SSL USING CHROME OR FIREFOX AND WIRESHARK IN WINDOWS
HOW TO DECRYPT SSL USING CHROME OR FIREFOX AND WIRESHARK IN MACOS  

Resolution


Step 1. Identify the Threat ID of the signature in question.

Step 2. Identify the Vulnerability Protection profile tied to the Security Policy processing the traffic.

Step 3. Open the Vulnerability Protection Profile and head over to the 'Exceptions' tab.

Step 4. Search for the Threat ID of the signature in question, and click on the lower-left checkbox "Show all signatures".

Step 5. At the right-most column (Packet capture) click on the current action (likely 'disable') and change the action to extended-capture. Also, do not forget to click the Enable checkbox at the very left of the entry before clicking on OK (otherwise the changes will not be applied).

Step 6. Click on OK and commit your changes.

Step 7. Run the suspicious traffic again, and verify the newly written Threat log entries. There will be a green down-pointing arrow at the left of the Threat log entry, from where the automatically collected PCAP file can be exported.

Once you collected extended captures and submitted False Positive report, you can easily remove/disable this Vulnerability Protection Exception.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllSCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language