classification 10/24/2015 presenter name presenter title threat discovery appliance 2.0 debug...

Classification04/20/23

Presenter NamePresenter Title

Threat Discovery Appliance 2.0Debug feature and troubleshooting

Copyright 2007 - Trend Micro Inc.

TDA main debug UI

• Please log in TDA web console and modify the URL to:• https://[TDA_Management_IP]/html/rdqa.htm


Log Enable/Disable

• To enable/disable the detection logs


Rule disable/enable

• Why?– TDA provide customized rule detection for customer/analyzer

• How?– URL: https://[TDA_Management_IP]/cgi-bin/cav_edit.cgi

• It will ask you to logon TDA first to avoid non-authorized communication

– Check Mark as Apply (TDA takes effect immediately)

• Note– Rule enable/disable setting will be overwritten after update

Network Content Correlation Pattern


Rule disable/enable (cont)

• Web console:


Debug Log

• URL: https://[TDA_Management_IP]/cgi-bin/cgiSetDebugLog.cgi• It will ask you to logon TDA first to avoid non-authorized

communication

• Debug Level and Module Settings– Debug Level

• disable,0-fatal,1-error,2-warning,3-info,4-debug

– Debug Module ID • 1-cav, 3-fstream_serv, 4-mr_system_logger, 5-preconf, all

• Export Debug Log• Debug Log Maintenance (Reset Debug Log)• Note

– debug log will rotate when it reaches size of 10 M bytes.


Debug Log (cont)

• Web console:


Kernel mode status

• Show TDA kernel status:


ATOP

• A tool to show system performance


PS

• Show TDA process status


Trouble Shooting - 1

• After TDA is deployed, check if TDA can “see” the traffic mirrored from the switch– Execute Putty to logon TDA

and execute the command:

#tcpdump –ni br0• You will find a lot of

“traffic” shown on screen. => traffic copied to TDA



• Check if packet is not dropped when mirrored to TDA– https://[TDA_Management_IP]/htm/kmod_main.html– “conntrack_count”

: concurrent connection

including all TCP state– No packet dropped :

“nr_corrupt” is 0– No packet dropped :

“ESTABLISHED” is almost equal to “conntrack_count”



• SYN_SENT: the number of TCP sessions that are in SYN_SENT state at the moment

• ESTABLISHED : the number of TCP sessions that are in ESTABLISHED state at the moment

• nr_corrupt : accumulated number of TCP sessions that are timed-out (60 seconds) in established state=> numbers of sessions that had packet dropped

client server

Data communication

1:syn : SYN_SENT

2:synack : SYN_RECV

3:ack : ESTABLISHED



• A case that TDA is “seeing”packets , however, TCP sessions is not established maybe due to asymmetric routing of the network

• TDA can not scan suchnetwork traffic

• Customer should re-considerthe position of TDA oruse 2 ports for monitoring


Known threat logging disable

• Why?– TDA can disable the log in database when it detects known

threat (VSAPI, Network Virus)– Customer doesn’t want to see duplicate detection logs before

the victim client is taken care of

• How?– URL: https://[TDA_Management_IP]/cgi-bin/cav_log.cgi

• It will ask you to logon TDA first to avoid non-authorized communication

– Select VSAPI or Network Virus then save

(TDA takes effect immediately)

classification 10/24/2015 presenter name presenter title threat discovery appliance 2.0 debug...

Documents