From Deep Discover Inspector (DDI) version 5.0, the packet capture feature is available to help customers collect malicious traffic information associated with certain hosts and/or detection rules. It also allows investigators to look for clues and connections during and around the time of attack.
This article provides a quick introduction about packet capture and what IP should be configured for client host.
If you are interested in some DDI detections, and keen to collect corresponded network traffics, packet capture is a great feature that you can use.
To enable the packet capture, go to Administration > Monitoring / Scanning > Packet Capture then tick the Enable packet capture checkbox.
After enabling the packet capture, adding or modifying the existing packet capture rule is needed, and Client Host and Detection Criteria are two important fields.
Currently, the rules of packet capture only takes effect to IP which is indicated as real "Client", indicating that client initiate the story or transaction.
To check "Client" information from detection:
From exported detection file (CSV format), we could see there is a column named "Client Flag".
- If the Client Flag's value is "1", then the Source IP is the client
- If Client Flag's value is "2", then the Destination IP is the client
That is, if the Client Flag's value is 1, configure the Source IP or IP range that covers the Source IP in the Client Host field.
Another quick way to check the "Client" is via DDI Detection Details web page.
From the Detection Details page, the user will find a blue point in the connection summary section.
The IP address labeled with blue color is the "Client" that you should configure in Client Host field.
As for the detection criteria, it is recommended to specify more details to narrow down the scope when configuring packet capture rule, also reducing the potential performance impact.
For example, adding a specific DDI detection rule ID or description, and only performing packet capture when the detection severity is over than a certain level is suggested.
Once the network traffic matches the packet capture rule, DDI will prepare and offer the pcap file.
A security analyst may download the pcap file via the web console directly as shown in the following image.
To do further investigation, the security analyst may open the unzipped pcap file with other tools, for example, wireshark, to browse the pcap content and find the detected packet via the"pkt_comment" filter.
If the security analyst would like to search all detections which have PCAP files, using the Advanced Filter via the detection search page is recommended.