How to submit Network Security Platform false positives and incorrect detections to Technical Support

Technical Articles ID: KB55743
Last Modified: 4/27/2021

Environment

McAfee Network Security Manager (NSM)

Summary

When you contact Technical Support directly or via the ServicePortal, you must provide the following information. This information enables Technical Support to accurately review incorrect identifications on the Network Security Platform:

All version numbers for Sensor software, Manager software, and Signature Sets.
Information about protocols in use on the network that are suspected of triggering the incorrect identification.
Information about the applications suspected of generating the incorrect identifications. For example, version numbers and websites for more information.
Evidence reports from the Manager. When possible, submit with full flow logging enabled for the specific alert.

Enable full flow logging:
1. Open the Manager console, click Policy, Intrusion Prevention, Policy Types, IPS Policies.
2. Select the appropriate policy that is applied to the Sensor.
3. Click Edit.
4. Double-click the alert that requires full flow logging enabled.
5. On the right side of the window, navigate to Settings, Sensor Actions, Capture Packets.
6. Set Attack and Pre-Attack to Enabled.
7. Set Post-Attack to Enabled.
8. Set Flows to Capture to Attack Flow Only and Rest of Flow.
9. Set Bytes to Capture to All Bytes in Each Packet.
10. Click Update at the bottom-right corner, then click Save.
  You see a pop-up message with the updates displayed.
11. Click Confirm.
Deploy the changed policy to the Sensors:
1. Click the Devices tab.
2. Select the appropriate Device from the Device drop-down list.
3. Click Deploy pending changes.
4. Make sure that there is a checkmark in the Configuration and signature set box.
5. Click Deploy to push the update policy to the Sensor.
Wait for the alert suspected to be a false positive to be triggered, then save the Evidence Report:
1. Click the Analysis tab then click the Attack log.
2. Double-click the triggered attack suspected as a false positive. You see a window open on the right side.
3. Click Export, select Alert details. You see the Export Alert Details window open.
4. Click the Include Packet Capture box.
5. In the Optional Comment field, add a comment why you suspect the alert is a false positive.
6. Click Export and name the file. There are two files, PCAP and Report.csv in the Evidence Report.
  NOTE: Open the PCAP with Wireshark and verify that there are about 10 packets listed.
7. Provide any additional information about why you suspect that the alert is an incorrect identification and any comments or thoughts about why the alert might have triggered.
8. Perform a packet capture of the network traffic in question through a third-party application. Technical Support recommends Wireshark for this purpose.
  IMPORTANT: Your submission requires a minimum of two Evidence Reports with packet logs attached. Technical Support works with the Network Security Platform Detection Team to confirm the incorrect identification and the best course of action to correct it.

Related Information

Additional Information:

In some scenarios, the Evidence Report is not sufficient to determine the false detection. In such a scenario, you collect debug logs using the debug command, and enable aidlog,/path> using the Sensor command line interface (CLI) for the suspected signature only. You then reproduce the issue and collect the logs for this time period only:

Open a Sensor command-line session using SSH and when prompted enter the administrative user name and password. ;
Type debug and press ENTER. You see the IntruDbg#> prompt.
Type the following command and press ENTER:

Set aidlog enable <attackID>

For example, set aidlog enable 0x40006000,/path>

NOTE: This ID is obtained from the signature description for the IntruVert Attack ID. If you do not know the Attack ID, view the Attack description details or search the Knowledge Base for the name of the attack.
Reproduce the false positive and gather the results:
1. Type Show aidlog status and press ENTER.
2. Wait for the false positive to trigger a few times on the Sensor.
3. Immediately grab the Sensor trace from the Sensor. For full steps, see: KB55549 - How to collect a diagnostics trace from the Network Security Platform Sensor.
  
  NOTE: Pushing a SigSet or changing the Sensor configuration before grabbing the Sensor trace erases the needed debug information from the trace output.
  
  Aidlog and Sensor trace information are correlated, and both are needed for debugging.
Disable logging after you collect the trace file:
1. Disable logging:
  Type set aidlog disable <attackID> and press ENTER.
2. Verify that aidlog is off or disabled:
  Type Show aidlog status and press ENTER.
3. Exit the Sensor:
  Type exit and press ENTER.

Previous Document ID ^(Secured)

KB39353

Affected Products

Diagnostic Data Collection
Known Issue/Product Defect
Network Security Manager 9.2.x
Network Security Manager 9.1.x
Network Security Manager 10.x
Network Security Sensor Appliance 10.x

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

How to submit Network Security Platform false positives and incorrect detections to Technical Support

Environment

Summary

Related Information

Previous Document ID ^(Secured)

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

How to submit Network Security Platform false positives and incorrect detections to Technical Support

Environment

Summary

Related Information

Previous Document ID (Secured)

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title

Previous Document ID ^(Secured)