Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Packet Logging Workflow

    This topic summarizes IDP Series packet logging basics. It includes the following sections:

    Using Packet Captures

    The IDP solution supports packet capture logging triggered by security policy rules.

    You can use packet captures for a number of response activities, including:

    • Validation of the security policy rule and attack object. You may choose to enable packet logging to test a new attack object. Once verified, you may find packet logging for the rule unnecessary.
    • Further analysis of traffic surrounding the matching event. The surrounding traffic might provide information that helps you determine whether you need to take further steps to protect the target or whether the attack should be considered a false positive.
    • Reproducibility and documentation for Internet security groups, including the Juniper Networks Security Center.
    • Legal evidence. Consult with your legal counsel for guidance on how local laws and rules of evidence apply if you want to use packet capture data as evidence in the prosecution of attackers.

    Enabling Packet Capture in Security Policy Rules

    When traffic matches a rule where packet logging is configured, the IDP Series device captures the packet that matched the rule, as well as the preceding and trailing packets (according to your configured preference).

    To enable packet logging within a security policy rule, use the Security Policy editor. Right-click a cell in the Notification column and select Configure to display the dialog box where you can set packet logging options.

    Figure 1: Notification Options: Packet Logging

    Image s036760.gif

    In the NSM Log Viewer, logs for events where packet captures have been generated are noted by an icon in the Has Packet Data column (the last column in Figure 2).

    Figure 2: NSM Log Viewer: Has Packet Data Column

    Image s036751.gif

    Forwarding Packet Capture Logs to NSM

    The IDP Series device writes packet captures locally to subdirectories of /usr/idp/device/var/pktlogs/. It forwards the packet data to NSM according to your NSM Report Settings:

    • Include packet data in log selected. Forwards the packet capture to NSM automatically whenever it sends the corresponding event log.
    • Include packet data in log not selected. Forwards a reference to the packet capture file to NSM automatically but forwards the packet data itself only on-demand (when an NSM user takes action to display the packet data).

      Figure 3: NSM Device Configuration Editor: Report Settings

      Image s036715.gif

    Viewing Packet Capture Logs

    You have two options for viewing packet captures:

    Using the NSM Packet Viewer

    The NSM packet viewer displays the offending attack payload that triggered the alert as well as preceding and trailing packets (according to your configuration). Figure 4 shows the NSM packet capture viewer.

    Figure 4: NSM Packet Capture Viewer

    Image s036752.gif

    To view a packet capture in the NSM packet viewer:

    1. In the NSM navigation tree, select Investigate > Log Viewer > Predefined > DI/IDP to display the IDP table.
    2. Select View > Choose Columns to display the dialog box you use to show and hide log table columns.
    3. Select Has Packet Data to show this column.

      If a security event log has packet data, an icon appears in the table cell under this column.

    4. Double-click the Has Packet data icon to display the packet data in the NSM packet viewer.

    Using an External Viewer to View Packet Data

    You can configure NSM to launch an external viewer for packet captures.

    Figure 5 shows the NSM dialog box where you can specify the location of an external packet viewer.

    Figure 5: Specifying an External Viewer

    Image s036761.gif

    To set the location of the external viewer:

    1. In NSM, select Tools > Preferences.
    2. Select Local Properties.
    3. Under External Tools > Packet Viewer, click the browse button and select the executable file for the external viewer (for example: C:\Program Files\Wireshark\wireshark.exe).
    4. Click OK to close the New Preferences dialog box.

    Figure 6 shows packet data displayed in the Wireshark packet viewer.

    Figure 6: Wireshark Packet Viewer

    Image s036762.gif

    To view a packet capture in an external packet viewer:

    1. In the NSM navigation tree, select Investigate > Log Viewer > Predefined > DI/IDP to display the IDP table.
    2. Select View > Choose Columns to display the dialog box you use to show and hide log table columns.
    3. Select Has Packet Data to show this column.

      If a security event log has packet data, an icon appears in the table cell under this column.

    4. Right-click the Has Packet data icon and select Show > Packet Data in External Viewer.

    Published: 2011-02-08