TDA 2.0 - Trend Micro
Download
Report
Transcript TDA 2.0 - Trend Micro
Threat Discovery Appliance 2.0
Debug feature and troubleshooting
Presenter Name
Classification
Presenter Title
7/18/2015
TDA main debug UI
• Please log in TDA web console and modify the URL to:
• https://[TDA_Management_IP]/html/rdqa.htm
Copyright 2007 - Trend Micro Inc.
Log Enable/Disable
• To enable/disable the detection logs
Copyright 2007 - Trend Micro Inc.
Rule disable/enable
• Why?
– TDA provide customized rule detection for customer/analyzer
• How?
– URL: https://[TDA_Management_IP]/cgi-bin/cav_edit.cgi
• It will ask you to logon TDA first to avoid non-authorized
communication
– Check Mark as Apply (TDA takes effect immediately)
• Note
– Rule enable/disable setting will be overwritten after update
Network Content Correlation Pattern
Copyright 2007 - Trend Micro Inc.
Rule disable/enable (cont)
• Web console:
Copyright 2007 - Trend Micro Inc.
Debug Log
• URL: https://[TDA_Management_IP]/cgi-bin/cgiSetDebugLog.cgi
• It will ask you to logon TDA first to avoid non-authorized
communication
• Debug Level and Module Settings
– Debug Level
• disable,0-fatal,1-error,2-warning,3-info,4-debug
– Debug Module ID
• 1-cav, 3-fstream_serv, 4-mr_system_logger, 5-preconf, all
• Export Debug Log
• Debug Log Maintenance (Reset Debug Log)
• Note
– debug log will rotate when it reaches size of 10 M bytes.
Copyright 2007 - Trend Micro Inc.
Debug Log (cont)
• Web console:
Copyright 2007 - Trend Micro Inc.
Kernel mode status
• Show TDA kernel status:
Copyright 2007 - Trend Micro Inc.
ATOP
• A tool to show system performance
Copyright 2007 - Trend Micro Inc.
PS
• Show TDA process status
Copyright 2007 - Trend Micro Inc.
Trouble Shooting - 1
• After TDA is deployed, check if TDA can “see” the traffic
mirrored from the switch
– Execute Putty to logon TDA
and execute the command:
#tcpdump –ni br0
• You will find a lot of
“traffic” shown on screen.
=> traffic copied to TDA
Copyright 2007 - Trend Micro Inc.
Trouble Shooting - 2
• Check if packet is not dropped when mirrored to TDA
– https://[TDA_Management_IP]/htm/kmod_main.html
– “conntrack_count”
: concurrent connection
including all TCP state
– No packet dropped :
“nr_corrupt” is 0
– No packet dropped :
“ESTABLISHED” is almost
equal to “conntrack_count”
Copyright 2007 - Trend Micro Inc.
Trouble Shooting - 3
• SYN_SENT: the number of TCP sessions that are in
SYN_SENT state at the moment
• ESTABLISHED : the number of TCP sessions that are in
ESTABLISHED state at the moment
• nr_corrupt : accumulated number of TCP sessions that
are timed-out (60 seconds) in established state
=> numbers of sessions that had packet dropped
1:syn : SYN_SENT
2:synack : SYN_RECV
3:ack : ESTABLISHED
Data communication
client
Copyright 2007 - Trend Micro Inc.
server
Trouble Shooting - 4
• A case that TDA is “seeing”
packets , however, TCP
sessions is not established
maybe due to asymmetric
routing of the network
• TDA can not scan such
network traffic
• Customer should re-consider
the position of TDA or
use 2 ports for monitoring
Copyright 2007 - Trend Micro Inc.
Known threat logging disable
• Why?
– TDA can disable the log in database when it detects known
threat (VSAPI, Network Virus)
– Customer doesn’t want to see duplicate detection logs before the
victim client is taken care of
• How?
– URL: https://[TDA_Management_IP]/cgi-bin/cav_log.cgi
• It will ask you to logon TDA first to avoid non-authorized
communication
– Select VSAPI or Network Virus then save
(TDA takes effect immediately)
Copyright 2007 - Trend Micro Inc.
Thank You
Classification
2015/7/18
16
Copyright 2007 - Trend Micro Inc.