You want to know to collect verbose HTTP logs and a packet capture from the on-premise scanner for InterScan Web Security Hybrid 3.0.
- Log on to the on-premise scanner either directly or via SSH as root.
Edit the configuration file /etc/iscan/intscan.ini as described in the KB article: Editing configuration files of Linux-based products then do the following to modify the parameter:
Find the parameter "verbose" in the [http] section.This parameter appears in other sections as well, so it is important to find the right one.
- Change the value of the parameter from "0" to "1" so the line looks like this: verbose=1
- Exit and save.
Reload the configuration with the following command:
Start a packet capture with the following command:
tcpdump -i any -s0 -w /var/tmp/tcpdump.pcap -W 5 -C 200
- "-i any" enables tcpdump to listen to any interface.
- "-s0" tells tcpdump to collect the entire packet content.
- "-W 5" tells tcpdump to store up to 5 rollover files (tcpdump.pcap0, tcpdump.pcap1 … tcpdump.pcap5, at which point it starts over).
- "-C 200" tells tcpdump to store up to 200 MB of packet data per file.
- Reproduce the issue.
- Stop the packet capture with CTRL+C.
Stop HTTP verbose logging by:
- Changing the value of the parameter "verbose" in the [http] section of the file /etc/iscan/intscan.ini back to "0".
- Reloading the configuration afterwards (as in step 3).
Collect the following information:
- URL and/or name of file accessed during reproduction
- Screenshots of what happens when the issue is reproduced
- All files in the folder /var/tmp/ starting with "tcpdump.pcap" using an SCP client such as WinSCP or an FTP client such as FileZilla in SFTP mode
- Open the web console for the on-premise scanner, go to System > Diagnostics, generate a diagnostics file and download it.