Loading...

Knowledge Center

How to submit Network Security Platform false positives and incorrect detections to Technical Support
Technical Articles ID:   KB55743
Last Modified:  5/11/2018
Rated:

Environment

McAfee Network Security Manager (NSM) 9.x, 8.x

Summary

When you contact Technical Support directly or via the ServicePortal, you must provide the following information. This information enables Technical Support to accurately review incorrect identifications on the Network Security Platform:
  • All version numbers for Sensor software, Manager software, and Signature Sets.
  • Information about protocols in use on the network that are suspected of triggering the incorrect identification.
  • Information about the applications suspected of generating the incorrect identifications. For example, version numbers and websites for more information.
  • Evidence reports from the Manager. When possible, submit with full flow logging enabled for the specific alert.
  1. Enable full flow logging:
    • NSM 8.1.x
      1. From the Manager Network Console, select PolicyIntrusion PreventionIPS Policies
      2. Click the Policies tab, open the Policy Editor, and click the appropriate policy.

        NOTE: If the policy is a preinstalled or the default policy, clone it before changing it.
         
      3. Click View/Edit, and select Inbound or Outbound, depending on the direction of the suspected attacks you want checked.
      4. Select Attacks Selected. If the protocol is identified, select it from the list. Otherwise, click All Protocols.
      5. Click View/Edit, and select the attack that is suspected of being False/Positive.
      6. Click View/Edit, click the Logging tab, and click Enable Logging.
      7. Click the Log Entire Packet drop-down list. Select Single Flow in the Flow field, and then select Rest of Flow.
      8. Click OK, and then click Done.
      9. Click Commit Changes.
         
        NOTE: If you cannot gather the information, use the following steps instead:
         
        1. Click Forensic Analysis (flows from/to source and flows from destination).
        2. Enter 30 (Packets) in the Capture n Packets drop-down list.
        3. Click OK, and then click Done.
           
    • NSM 8.3.x, NSM 9.x
      1. Open the Manager console, click Policy, Intrusion Prevention, Policy Types, IPS Policies.
      2. Select the appropriate policy that is applied to the Sensor.
      3. Click Edit.
      4. Double-click the alert that requires full flow logging enabled.
      5. On the right side of the window, navigate to Settings, Sensor Actions, Capture Packets.
      6. Set Attack and Pre-Attack to Enabled.
      7. Set Post-Attack to Enabled
      8. Set Flows to Capture to Attack Flow Only and Rest of Flow
      9. Set Bytes to Capture to All Bytes in Each Packet.
      10. Click Update at the bottom right corner, then click Save.
        You see a pop-up message with the updates displayed.
         
      11. Click Confirm.
         
  2. Deploy the changed policy to the Sensors:
    1. Click the Devices tab.
    2. Select the appropriate Device from the Device drop-down list.
    3. Click Deploy pending changes.
    4. Make sure that there is a check mark in the Configuration and signature set box.
    5. Click Deploy to push the update policy to the Sensor.
       
  3. Wait for the alert suspected to be a false positive to be triggered, then save the Evidence Report:
    • NSM 8.1.x:
      1. Start Historical/Real-time Alert Manager and double-click the alert with the false positive.
      2. Click Save As Evidence Report.
      3. Click Save Packet Log.
      4. Select Show Entire Flow.
      5. Click Save. Name the file appropriately to save the Evidence Report. There are two files, PCAP and Report.csv in the Evidence Report.
        NOTE: Ensure that you open the PCAP with Wireshark and verify that there are about 10 packets listed. 
         
      6. Provide any additional information about why you suspect this alert is an incorrect identification, and any comments or thoughts about why the alert might have triggered.
      7. Perform a packet capture of the network traffic in question through a third-party application. Technical Support recommends Wireshark for this purpose.

        IMPORTANT: Your submission requires a minimum of two Evidence Reports with packet logs attached. After you have submitted this information, Technical Support will work with the Network Security Platform Detection Team to confirm the incorrect identification and the best course of action to correct it.
         
    • NSM 8.3.x and NSM 9.x:
      1. Click the Analysis tab then click the Attack log.
      2. Double-click the triggered attack suspected as a false positive. You see a window open on the right side.
      3. Click Export, select Alert details. You see the Export Alert Details window open.
      4. Click the Include Packet Capture box. 
      5. In the Optional Comment field, add a comment why you suspect the alert is a false positive.
      6. Click Export and name the file. There are two files, PCAP and Report.csv in the Evidence Report.
        NOTE: Open the PCAP with Wireshark and verify that there are about 10 packets listed. 
         
      7. Provide any additional information about why you suspect the alert is an incorrect identification and any comments or thoughts about why the alert might have triggered.
      8. Perform a packet capture of the network traffic in question through a third-party application. Technical Support recommends Wireshark for this purpose.

        IMPORTANT: Your submission requires a minimum of two Evidence Reports with packet logs attached. Technical Support works with the Network Security Platform Detection Team to confirm the incorrect identification and the best course of action to correct it.

Related Information

Additional Information:

In some scenarios, the Evidence Report is not sufficient to determine the false detection. In such a scenario, you collect debug logs using the debug command, and enable aidlog using the Sensor command-line interface (CLI) for the suspected signature only. You then reproduce the issue and collect the logs for this time period only:
  1. Open a Sensor command-line session using SSH and when prompted enter the administrative user name and password. ;
  2. Type debug and press ENTER. You see the IntruDbg#> prompt.
  3. Type the following command and press ENTER:

    Set aidlog enable <attackID>

    For example, set aidlog enable 0x40006000

    NOTE: This ID is obtained from the signature description for the IntruVert Attack ID. If you do not know the Attack ID, view the Attack description details or search the Knowledge Base for the name of the attack. 
     
  4. Reproduce the false positive and gather the results:
    1. Type Show aidlog status and press ENTER.
    2. Wait for the false positive to trigger a few times on the Sensor.
    3. Immediately grab the Sensor trace from the Sensor. For full steps, see KB55549 - How to collect a diagnostics trace from the Network Security Platform Sensor.

      NOTE: Pushing a SigSet or changing the Sensor configuration before grabbing the Sensor trace erases the required debug information from the trace output.

      Aidlog and Sensor trace information are correlated, and both are required for debugging.
       
  5. Disable logging after you collect the trace file:
    1. Disable logging:
      Type set aidlog disable <attackID> and press ENTER.
       
    2. Verify that aidlog is off or disabled:
      Type Show aidlog status and press ENTER.
       
    3. Exit the Sensor:
      Type exit and press ENTER.

Previous Document ID

KB39353

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.