8 Replies Latest reply on Dec 8, 2016 7:07 AM by peter.mason

    Packet Capture for Alerts on NSM 8.3

    skatman88

      Hi All,

       

      I've inherited an NSM as part of my new role and for some reason the alerts have no packet capture assigned to them. Does anyone know if there's a guide on how to enable/configure this?

       

      Cheers

        • 1. Re: Packet Capture for Alerts on NSM 8.3
          ahmed.sabanaa

          Hi Sir,

          packet capturing must be enabled on the Alert Settings .

          • 2. Re: Packet Capture for Alerts on NSM 8.3
            peter.mason

            Hi Skatman,

             

            Are you not seeing packet captures for any alerts at all, or only for some alerts?

             

            The admin guides are available at the below link

             

            Network Security Platform documentation reference guide

            https://kc.mcafee.com/agent/index?page=content&id=KB76064

            • 3. Re: Packet Capture for Alerts on NSM 8.3
              skatman88

              Hi All,

               

              The policy is enabled, but when you click on the "Export" button under "Attack Log" an error is thrown up stating "There is no packet capture associated with this alert. (If this is a new alert, the packet capture may become available once the alert is fully processed.)"

               

              The issue is, that no packet capture export ever becomes available.

              • 4. Re: Packet Capture for Alerts on NSM 8.3
                peter.mason

                Hi Skatman,

                 

                Is this just happening for certain types of alerts or all alerts?

                 

                Is this just an issue since upgrading to 8.3?

                 

                Are these throttled alerts?

                 

                Have you run Database tuning recently?

                 

                Peter

                • 5. Re: Packet Capture for Alerts on NSM 8.3
                  peter.mason

                  Also which version of 8.3 are you running?

                  • 6. Re: Packet Capture for Alerts on NSM 8.3
                    d_aloy

                    Hi Skatman

                     

                    What is your alert rate? You can see this on the NSM under Manage/Maintenance/Database Pruning/Alert Statistics

                    If you have a very high alert rate, it could be that the NSM is struggling to write those to disk - you can check ems.log for errors about alert cache being full, or monitor disk I/O

                     

                    If this is not the problem, then please check what are the alerts you are trying to see the packetlog for, as not all alerts contain pcap:

                    - Reconnaissance alerts do not have pcap

                    - Some DoS alerts (threshold, learning) do not have pcap

                    - Aggregated alert will not show pcap - check Attack Count on the RTTA, if it is more than 1 then you won't have pcap

                     

                    Finally, you could check the database and see if the iv_packetlog table has any data on it. You can correlate the alert id from that table and then confirm you can pull the pcap from the historical threat analyser.

                     

                    Regards

                    David

                    • 7. Re: Packet Capture for Alerts on NSM 8.3
                      skatman88

                      Hi All,

                       

                      Sorry for the late reply.

                       

                      In reply to peter.mason:

                       

                      Is this just happening for certain types of alerts or all alerts? This is happening on all alerts, although the only ones I can see in the last 48 hours are Policy Violation, Volume DoS, and Exploit. None of which we can obtain any packets from.

                       

                      Is this just an issue since upgrading to 8.3? We've only ever been on 8.3, it's a new system and has just been handed over to me. We've just upgraded from 8.3.7.7 to 8.3.7.28.

                       

                      Are these throttled alerts? I'm not sure what you mean by "throttled alerts"? I'm aware of "suppressed alerts", but these alerts are not them. They are standard alerts with a '1' under Attack Count.

                       

                      Have you run Database tuning recently? No, I've not. Do you recommend it? If so, what are the potential negative effects on the system and the end user? Should I run a back-up first?

                       

                      Also which version of 8.3 are you running? 8.3.7.28.

                       

                       

                      In reply to David:

                       

                      What is your alert rate? You can see this on the NSM under Manage/Maintenance/Database Pruning/Alert Statistics. Alert rate is 510 Alerts/Day. But under "Daily Alert and Packet Capture Disk Usage" we are seeing 0MB/day, despite the fact that under "Total Count for" we have 52481 for alerts and 53048 for packet captures.

                      If you have a very high alert rate, it could be that the NSM is struggling to write those to disk - you can check ems.log for errors about alert cache being full, or monitor disk I/O

                       

                      If this is not the problem, then please check what are the alerts you are trying to see the packetlog for, as not all alerts contain pcap: In the last 48 hours, the alerts that we are seeing are Policy Violation, Volume DoS, and Exploit.

                      - Reconnaissance alerts do not have pcap

                      - Some DoS alerts (threshold, learning) do not have pcap

                      - Aggregated alert will not show pcap - check Attack Count on the RTTA, if it is more than 1 then you won't have pcap

                       

                      Finally, you could check the database and see if the iv_packetlog table has any data on it. You can correlate the alert id from that table and then confirm you can pull the pcap from the historical threat analyser. I've found the "iv_packetlog" but I cannot open it. What tool should I use?

                      • 8. Re: Packet Capture for Alerts on NSM 8.3
                        peter.mason

                        Hi Skatman,

                         

                        Have a look at these KB articles, they list similar issues to your which are fixed in newer versions of 8.3.

                         

                        https://kc.mcafee.com/agent/index?page=content&id=KB87343

                         

                        https://kc.mcafee.com/agent/index?page=content&id=KB87718

                         

                        If you haven't already opened an SR with support you should and ask them if they can confirm if the bugs listed in the articles affect you.

                         

                        Also a new release of 8.3 came out yesterday, 8.3.7.44,  if you need to upgrade you may as well go to it.

                         

                        Database tuning is reccomended to be run at least once a month by McAfee, it's in the Admin Guide under the Routine Maintenance section. It's often a basic troubleshooting step.

                         

                        The iv_packetlog is a DB table, you can check the size of the file from windows explorer to see if anything is in it. You can log onto the sql db to check it's contents.

                         

                        To check the volume of alerts in the table you need to log on to the sql db, details of how to log on are in this KB

                         

                        https://kc.mcafee.com/agent/index?page=content&id=KB60660

                         

                        Once you're logged on you can use the following commands to get a count of alerts / packet logs in the db tables and a date range.

                         

                        select count(*) from iv_alert;

                        select count(*) from iv_packetlog;

                         

                        select max(creationtime) from iv_alert;

                        select min(creationtime) from iv_alert;

                         

                        select max(creationtime) from iv_packetlog;

                        select min(creationtime) from iv_packetlog;

                         

                        I reccomend always creating a backup before you make any changes, you're DB is quite small so it shouldn't take very long.

                         

                        Regards

                         

                        Peter