How to submit Network Security Platform false positives and incorrect detections to McAfee Support

Environment

McAfee Network Security Manager 7.x, 6.x

Summary

If you contact Technical Support, either directly or online via the ServicePortal, McAfee requires the following information to accurately review incorrect identifications on the Network Security Platform:

  • All version numbers for Sensor Software, Manager Software, and Signature Sets.

  • Information on protocols being used on the network that are suspected of triggering the incorrect identification.

  • Information on the applications suspected of generating the incorrect identifications (for example, version numbers and websites for more information).

  • Evidence reports from the Manager. Whenever possible, submit with full flow logging enabled for the specific alert.

  1. Enable full flow logging:

    1. From the Manager Network Console, click Configure, in the resource tree, select Policies.

    2. Click the Policies tab, and open the Policy Editor. Then click on the appropriate policy.

      NOTE:If the policy is a pre-installed or default policy, clone it first before modifying it.

    3. Click View/Edit, then select Inbound or Outbound, depending on the direction of the suspected attacks that should be checked.

    4. Select Attacks Selected. If the protocol is identified, click on it from the list.. Otherwise, click All Protocols.

    5. Click View/Edit, then select the attack that is suspected of being False/Positive, click View/Edit, and then click the Logging tab.

    6. Select Enable Logging.

    7. Click the Log Entire Packet drop-down list. Select Single Flow in the Flow: field, and then select Rest of Flow.

    8. Click OK and then click Done.

    9. Click Commit Changes.


  2. After you enable full flow logging on the Manager, you must update the Sensors. By updating the Sensors, you enable full flow logging on the Sensor:

    1. In the Manager Network Console click Configure.

    2. In the resource tree, click Sensors.

    3. Click the Update tab.

    4. Click Update Configuration.


  3. Enable aidlog on the Sensor Command Line Interface (CLI) for the suspected signature only for the limited time:

    1. Open a Sensor command-line session using SSH and the administrative username and password.

    2. Type debug and press ENTER. You see the IntruDbg#> prompt.

    3. Type the following command and press ENTER:

      Set aidlog enable

      Example: set aidlog enable 0x40006000)

      This ID is obtained from the signature description for IntruVert ID.

      NOTE: If you don't know the Attack ID, view the Attack description details or search the KnowledgeBase for the name of the attack..

    4. Reproduce the False positive and gather the results:

      1. Type the following command and press ENTER:

        Show aidlog status

      2. Wait for the False Positive to trigger a couple times on the Sensor.

      3. Immediately grab the Sensor trace from the Sensor. See article KB55549 for full steps.

        NOTE: Pushing a sigset or changing Sensor configuration before grabbing the Sensor trace will erase the required debug info from the trace output.

        AIDlog and Sensor trace info are correlated together and both are needed for debug.


    5. Disable logging after you are have the tracefile:

      1. Disable logging. Type the following command and press ENTER:

        set aidlog disable

      2. Verify aidlog is off/disabled. Type the following command and press ENTER:

        Show aidlog status

      3. Exit out of the Sensor. Type the following command and press ENTER:

        exit



  4. After you enable full flow logging for the specific alert suspected to be false positive, and it has been triggered again, save the Evidence Report:

    1. Launch Historical/Real-time Alert Manager and double-click the alert with the false positive.

    2. Click Save As Evidence Report.

    3. Select Save Packet Log.

    4. Select Show Entire Flow.

    5. Click Save. Name the file appropriately to save the Evidence Report. There are two files (PCAP and Report.csv) within the Evidence Report.

      NOTE: Ensure that you open the PCAP with Ethereal/Wireshark on a test computer and verify that there are approximately 10 packets listed.

    6. Provide any additional information about why it is suspected that this is an incorrect identification, and any comments or thoughts about why the alert might have triggered.

    7. Perform a packet capture of the network traffic in question through a third-party application. McAfee recommends Ethereal/Wireshark for this purpose.

      IMPORTANT: A minimum of five Evidence Reports with packetlogs attached are required. After you have submitted this information, the issue is escalated to Tier III Support, where it will be reviewed. Tier III Support work with the Network Security Platform Detection Team to confirm this is an incorrect identification and the best course of action to correct it.