To troubleshoot Sensor detection issues, you must analyze the traffic that causes the issue. You must also determine the parts of the Sensor that are involved. Sometimes, you can't determine why a detection does or doesn't occur without a full, non-encrypted packet capture in PCAP format.
The Sensor protocol engine maintains several complex state systems for detection accuracy. These state systems are optimized for performance and only the final result can be logged on a standard Sensor firmware.
You need a full capture in PCAP format because it allows Support to resend the collected traffic through Sensors equipped with debug features. For example, when the Sensor parses HTTP data, it maintains the state system on HTTP request and HTTP response states. Methods such as GET, PUT, POST, URI, or HTTP headers are analyzed. For any vulnerability and threat, the Sensor checks if the trigger condition is in the correct state. With the partial packet logs, it's impossible to reproduce the whole state-machine transition.
An issue might not exist in the final state and can be in an earlier sequence when the attack is triggered.
Technical Support requires a full flow packet capture in PCAP format to perform the following:
- Reproduce the issue
- Evaluate the state-machine transition
- Debug all related conditions
- Determine why a detection has triggered or not
IMPORTANT: If you see that the issue occurs in SSL traffic, remember the following:
- It's impossible to generate decrypted packet captures even when a private key has been added to the Sensor
- It's decrypting and parsing the SSL traffic successfully
When the SSL certificates are imported on the Sensor, they're provided to the backend of the Sensor to decrypt the encrypted traffic. The packet capture feature is implemented at the front end of the Sensor. The front end of the Sensor captures packets directly from the switch, unmodified.