Additional Information:
In some scenarios, the Evidence Report is not sufficient to determine the false detection. In such a scenario, you collect debug logs using the debug command, and enable
aidlog,/path> using the Sensor command line interface (CLI) for the suspected signature
only. You then reproduce the issue and collect the logs for this time period only:
- Open a Sensor command-line session using SSH and when prompted enter the administrative user name and password. ;
- Type debug and press ENTER. You see the IntruDbg#> prompt.
- Type the following command and press ENTER:
Set aidlog enable <attackID>
For example, set aidlog enable 0x40006000,/path>
NOTE: This ID is obtained from the signature description for the IntruVert Attack ID. If you do not know the Attack ID, view the Attack description details or search the Knowledge Base for the name of the attack.
- Reproduce the false positive and gather the results:
- Type Show aidlog status and press ENTER.
- Wait for the false positive to trigger a few times on the Sensor.
- Immediately grab the Sensor trace from the Sensor. For full steps, see: KB55549 - How to collect a diagnostics trace from the Network Security Platform Sensor.
NOTE: Pushing a SigSet or changing the Sensor configuration before grabbing the Sensor trace erases the needed debug information from the trace output.
Aidlog and Sensor trace information are correlated, and both are needed for debugging.
- Disable logging after you collect the trace file:
- Disable logging:
Type set aidlog disable <attackID> and press ENTER.
- Verify that aidlog is off or disabled:
Type Show aidlog status and press ENTER.
- Exit the Sensor:
Type exit and press ENTER.