Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Forensics and Full Packet Collection

    Use JSA Incident Forensics in your deployment to retrace the step-by-step actions of a potential attacker, and conduct an in-depth forensics investigation of suspected malicious network security incidents.

    JSA Incident Forensics reconstructs raw network data that is related to a security incident back into its original form.

    JSA Incident Forensics integrates with the IBM QRadar Security Intelligence Platform and is compatible with many third-party packet capture offerings.

    JSA Incident Forensics offers an optional JSA Packet Capture appliance to store and manage data that is used by JSA Incident Forensics if no other network packet capture (PCAP) device is deployed. Any number of these appliances can be installed as a tap on a network or sub-network to collect the raw packet data.

    JSA Packet Capture Components

    The following components can be included in a QRadar deployment:

    • JSA console --Provides the JSA product user interface. In distributed deployments, use the JSA console to manage multiple JSA Incident Forensics Processor hosts.

    • JSA Incident Forensics Processor --Provides the JSA Incident Forensics product interface. The interface delivers tools to retrace the step-by-step actions of cyber criminals, reconstruct raw network data that is related to a security incident, search across available unstructured data, and visually reconstruct sessions and events.

      You must add JSA Incident Forensics Processor as a managed host before you can use the security intelligence forensics capability.

    • JSA Incident Forensics Standalone -- Provides the JSA Incident Forensics product user interface. Installing JSA Incident Forensics Standalone provides the tools that you need to do forensics investigations. Only forensics investigative and the related administrative functions are available.

    • JSA Packet Capture --You can install an optional JSA Packet Capture appliance. If no other network packet capture (PCAP) device is deployed, you can use this appliance to store data that is used by JSA Incident Forensics. You can install any number of these appliances as a network tap or subnetwork to collect the raw packet data.

      If no packet capture device is attached, you can manually upload the packet capture files in the user interface or by using FTP.

      Depending on your network and packet capture requirements, you can connect up to five packet capture devices to a JSA Incident Forensics appliance.

    • JSA Packet Capture Data Node appliances--For extra storage capacity, you can connect up to two JSA Packet Capture Data Node appliances to each JSA Packet Capture master system.

    All-in-One Deployment

    In standalone or all-in-one deployments, you install the JSA Incident Forensics Standalone software. These single appliance deployments are similar to installing the JSA console and JSA Incident Forensics managed host on one appliance, but without log management, network activity monitoring, or other security intelligence features. For a stand-alone network forensics solution, install the JSA Incident Forensics Standalone in small to midsize deployments.

    The following diagram shows a basic JSA Incident Forensics All-in-One deployment.

    Figure 1: All-in-one Deployment

    All-in-one Deployment

    Distributed Deployment

    In a distributed deployment, you can have the following three appliances:

    • JSA console

    • JSA Packet Capture managed host (JSA Packet Capture processor)

    • JSA Packet Capture (optional)

    Software versions for all JSA appliances in a deployment must be the same version and fix level. Deployments that use different versions of software are not supported.

    The following diagram shows a JSA Incident Forensics distributed deployment.

    Figure 2: Distributed Deployment

    Distributed Deployment

    The following diagram shows packet forwarding from a IBM QRadar QFlow Collector 1310 with a 10G Napatech network card to a JSA Packet Capture appliance.

    The JSA flow processor uses a dedicated Napatech monitoring card to copy incoming packets from one port on the card to a second port that connects to a JSA Packet Capture appliance.

    Figure 3: Packet Forwarding

    Packet Forwarding

    Forwarding Packets to JSA Packet Capture

    You can monitor network traffic by sending raw data packets to a IBM Security QRadar QFlow Collector 1310 appliance. The JSA flow processor uses a dedicated Napatech monitoring card to copy incoming packets from one port on the card to a second port that connects to a JSA Packet Capture appliance.

    If you already have a JSA flow processor 1310 with a 10G Napatech network card, you can mirror the traffic to JSA Packet Capture.

    As shown in the following diagram, if you already have a JSA flow processor 1310 with a 10G Napatech network card, you can mirror the traffic to JSA Packet Capture.

    Figure 4: Packet Data Forwarding from a JSA Flow Processor to JSA Packet Capture by Using the Napatech Card

    Packet Data Forwarding from a JSA
Flow Processor to JSA Packet Capture by Using the Napatech Card

    Ensure that the following hardware is set up in your environment:

    • You attached the cable to port 1 of the Napatech card on the JSA flow processor 1310 appliance.

    • You attached the cable that is connected to port 2 of the Napatech card, which is the forwarding port, to the JSA Packet Capture appliance.

    • Verify layer 2 connectivity by checking for link lights on both appliances.

    1. Using SSH from your JSA Console, log in to JSA flow processor as the root user. On the JSA flow processor appliance, edit the following file.

      /opt/qradar/init/apply_tunings

      1. Locate the following line, which is around line 137.

        apply_multithread_qflow_changes() { APPLIANCEID=`$NVABIN/myver -a` if [ "$APPLIANCEID" == "1310" ]; then MODELNUM=$(/opt/napatech/bin/AdapterInfo 2>&1 | grep "Active FPGA Image" | cut -d'-' -f2) if [ "$MODELNUM" == "9220" ]; then..

      2. In the AppendToConf lines that follow the code in the preceding step, add these lines:

        AppendToConf SV_NAPATECH_FORWARD YES AppendToConf SV_NAPATECH_FORWARD_INTERFACE_SRCDST "0:1"

        These statements enable packet forwarding, and forward packets from port 0 to port 1.

      3. Ensure that multithreading is enabled, by verifying that the following line is in the /opt/qradar/conf/nva.conf

        file.

        MULTI_THREAD_ON=YES

    2. Run the apply_tunings script to update the configuration files on the JSA flow processor, by typing the following command:

      ./apply_tunings restart

    3. Restart JSA services by typing the following command:

      systemctl restart hostcontext

    4. Verify that your Napatech card is receiving and transmitting data.
      1. To verify that the Napatech card is receiving data, type the following command:

        /opt/napatech/bin/Statistics -dec -interactive

        The "RX" packet and byte statistics increment if the card is receiving data.

      2. To verify that the Napatech card is transmitting data, type the following command:

        /opt/napatech/bin/Statistics -dec -interactive

        The "TX" statistics increment if the card is transmitting data.

    5. Verify that your JSA Packet Capture is receiving packets from your JSA flow processor appliance.
      1. Using SSH from your JSA console, log in to your JSA Packet Capture appliance as root on port 4477.

      2. Verify that the JSA Packet Capture appliance is receiving packets by typing the following command:

        watch -d cat /var/www/html/statisdata/int0.txt

        The int0.txt file updates as data flows into your JSA Packet Capture appliance.

      For more information about packet capture, see the Managing Juniper SRX PCAP Data Technical Note.

    Modified: 2017-09-13