Learning More about SmartView Tracker Logs: InterSpect NGX Packets Capture
| Check Point Reference: | SBP-2006-08 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | SmartDefense Research Center | |
| Protection Provided by: |
InterSpect
|
|
| Who is Vulnerable? | ||
| Vulnerability Description Packet streams that have triggered a SmartDefense or Web Intelligence protection can be stored in the form of raw data. The captured packet can be examined using an internal packet viewer or any protocol analyzer, such as Ethereal, Snoop or tcpdump. Packet capture is available for all protections as well as new protections that are added using the SmartDefense updates service. Examining a captured packet using a network protocol analyzer can reveal a lot of information about an attack. While the log shows some pieces of information extracted from the packet, together with some other relevant information, the packet capture contains the whole packet. The packet capture can be used to further analyze the packet and can help troubleshoot network problems. Packet captures are added to the relevant logs and can be viewed in SmartView Tracker. Logs that contain a captured packet stream can be identified by the icon in the SmartView Tracker log entry as can be seen below:
|
||
|
Vulnerability Details Captured packets are stored on the InterSpect appliance at $FWDIR/log/packets_capture. By default, up to 15% of the storage space on InterSpect may be used for storing packet captures. This value is configurable in the InterSpect > Logging page. It can be set as either a percentage of disk space or as a Megabyte value. If the configured limit is reached, older packet captures are deleted as new ones are saved. |
Protection Overview
Examining a captured packet using a network protocol analyzer can reveal a lot more information about an attack than can be seen in the SmartView Tracker log. The packet capture can also be used to further analyze the packet and reason why it was logged as well as help troubleshoot network problems in some cases.
To configure the defense, select your product from the list below and follow the related protection steps.
InterSpect NGX
How Can I Protect My Network?
The captured packet can be examined using an internal packet viewer or any protocol analyzer, such as Ethereal, Snoop or tcpdump.
1. Select the log for which you would like to choose the protocol analysis application.
2. Right-click the log record and select View packets capture.
3. In the View Captured Packets window:
Select Internal Viewer to examine the captured packets using the internal packet viewer.
Select Associated program (via Windows association) to examine the captured packets using the program that is associated (in Windows) with the extension of the packet capture file (*.capture).
Select Choose program to examine the captured packet using a specified program.
How Do I Know if My Network is Under Attack?
Packet captures are added to the relevant logs and can be viewed in SmartView Tracker.
To view the captured packets in SmartView Tracker:
1. Right-click a log record with an associated packet capture (identified by a brown icon next to it),
2. Select
View Packets capture to examine the packets immediately using either the internal packet viewer, or using an external network protocol analyzer (e,g Ethereal, Snoop, tcpdump).
Save as packets capture to save the packets for later analysis.