The Network IPS appliance uses log evidence, along with
the rolling packet capture feature, to gather evidence about suspicious
events.
Log evidence
The log evidence
feature copies
a packet that triggered an event. Log evidence records the packet
in a log file. By studying the packet recorded in the log file, you
can determine exactly what an intruder did or attempted to do. Log
evidence can capture packets for web protection events, security events,
user-defined events, connection events, SNORT events, and response
filters.
Where to configure log evidence
You
can
configure options for log evidence in the following areas:
- In
the policy: Define the scope of the log evidence feature
in appliance policies. For example, choose to capture specific traffic
or choose to capture all traffic passing through an interface at the
same time the event occurs. Find policies that use the log evidence
feature in these locations.
- On
the Log Evidence tab: Define
how many log evidence files the appliance stores, the size of the
capture files, and the file format. Find the tab in .
- On the Tuning Parameters page: Add
or edit the parameter engine.logevidence.file.timeout.
This parameter defines how long the log evidence option captures packets
when the suspicious traffic is idle. The default value is 15 minutes,
the minimum value is 5 minutes, and the maximum value is 30 minutes.
Find tuning parameters in .
Note: Consider possible
performance issues as you are choosing
log evidence options. Log evidence options that are too general or
too large affect performance.
How
the log evidence works
All log evidence
configurations work together to define the behavior of the log evidence
feature.
Table 1. Log evidence configurations and appliance behaviorsLog evidence configuration |
Appliance behavior |
Log evidence option in the policy |
Determines the type of packet to capture
when suspicious traffic triggers events. The appliance logs files
to the /var/iss/ directory. You can retrieve
log evidence files from . - None: The appliance captures no traffic.
- Offending Packet: The appliance captures
the suspicious traffic.
- Connection: The appliance captures all
traffic that matches the event protocol, source and destination address,
source and destination port, or VLAN ID.
- Interface: The appliance captures all traffic
that passes through the specified interfaces.
- All Interfaces: The appliance captures
all traffic that passes through all interfaces.
Note: Connection, Interface,
and All Interfaces are not available for the
SNORT feature.
The
appliance captures matching traffic for policy events according to
the values set on the log evidence tab and by the log evidence tuning
parameter.
|
Log evidence
tab |
The appliance applies the maximum
values configured
on the tab to those packets that match the criteria set in the applicable
policy. If the packet capture meets any of the maximum values
set on the tab, then the packet capture operation stops.
If
the packet capture does not meet the maximum values set on the tab
but it does meet the idle time limit set by the log evidence tuning
parameter, then the packet capture operation stops.
|
Tuning parameter engine.logevidence.file.timeout |
The appliance applies the values set by the
tuning parameter to the packets that match the criteria set in the
applicable policy. If the packet capture meets the idle time set
in the tuning parameter, then the packet capture operation stops.
If
the packet capture does not meet the idle time set by the tuning parameter
but it does meet the maximum values set on the log evidence tab, then
the packet capture operation stops.
|
Log evidence examples
Packet
capture
controlled by the log evidence tab- Log evidence values
set:
- Log evidence tab maximum values set
- Log evidence
tuning parameter set to 15 minutes
- Policy log evidence option
set to Connection
- A suspicious
event from an SSH session occurs
- Appliance applies maximum
values to the packet capture
- Appliance captures all traffic
that matches the connection
- Appliance applies a time limit
to the packet capture
- Suspect connection traffic continues
to occur for 12 minutes;
however, it exceeds the number of packets per event maximum value
- Appliance stops the packet capture, even though the connection
traffic is still occurring and the packet capture file has not recorded
for 15 minutes
- Log evidence file is available for download
from
Packet capture controlled by the
log evidence tuning
parameter- Log evidence values set:
- Log evidence
tuning parameter set to 15 minutes
- Log evidence tab maximum
values set
- Policy log evidence option set to Connection
- A suspicious event from an SSH session occurs
- Appliance
applies time limit to the packet capture
- Appliance applies
maximum values to the packet capture
- Appliance captures all
traffic that matches the connection
- Suspicious SSH session
remains open but has not sent any packets
for 15 minutes
- Appliance stops the packet capture, even though
the suspicious
session remains open and the packet capture has not met any of the
maximum values
- Log evidence file is available for download
from