Table Of Contents

Managing the Packet-Dump Feature

Packet-Dump Capture Overview

Enabling or Disabling Automatic Packet-Dump Capture

Managing Manual Packet-Dump Captures

Starting a Manual Packet-Dump Capture

Stopping a Manual Packet-Dump Capture

Viewing Packet-Dump Captures

Viewing the Packet-Dump Capture List

Viewing the Packet-Dump Capture Details

Changing the Packet-Dump Capture Details Screen View

Comparing Two Packet-Dump Captures

Managing Packet-Dump Capture Files

Renaming a Manual Packet-Dump Capture File

Saving a Complete Copy of a Packet-Dump Capture

Saving a Filtered Copy of a Packet-Dump Capture File

Exporting a Packet-Dump Capture File

Importing a Packet-Dump Capture File

Deleting a Packet-Dump Capture File

Extracting and Using Packet-Dump Signatures

Extracting a Packet-Dump Capture Signature

Extracting a Packet-Dump Capture Signature Using a Reference Capture

Adding an Attack Signature to a Flex-Content Filter

Managing the Packet-Dump Feature

---

The packet-dump capture function allows you to record and observe zone traffic patterns using non-intrusive network taps.

This chapter includes the following sections:

•Packet-Dump Capture Overview

•Enabling or Disabling Automatic Packet-Dump Capture

•Managing Manual Packet-Dump Captures

•Viewing Packet-Dump Captures

•Managing Packet-Dump Capture Files

•Extracting and Using Packet-Dump Signatures

Packet-Dump Capture Overview

You can configure the Guard to record zone traffic and create a database from the recorded traffic. Querying the recorded traffic database enables you to analyze past events, extract traffic signatures, or compare current network traffic patterns with traffic patterns that the Guard recorded previously under normal traffic conditions.

You can configure filters so the Guard records only traffic that meets certain criteria. Alternatively, you can record all traffic data and filter the traffic that the Guard displays. The Guard saves the traffic in gzipped Packet Capture (PCAP) format with an accompanying file in Extensible Markup Language (XML) format that describes the recorded data.

An important use of the packet-dump feature is to determine if there are any common patterns, or signatures, that appear in the payload of attack packets within a packet-dump capture. The Guard is capable of analyzing a packet-dump capture and extracting any signatures it finds. Using the signature information, you can create a Flex-Content filter to block all traffic containing packet payloads that match the signature.

The Guard records traffic in two ways:

•Automatic Packet-Dump Capture—The Guard constantly records traffic data to packet-dump capture files.

•Manual Packet-Dump Capture—The Guard records traffic to packet-dump capture files when you activate the feature.

A new automatic packet-dump capture file replaces the previous one. To save the recorded traffic, export the packet-dump capture files to an FTP server before you activate the Guard to record traffic again. You can only activate one manual packet-dump capture at a time for a zone, but you can activate a manual packet-dump capture and the automatic packet-dump capture simultaneously. The Guard can manually record traffic for up to 10 zones simultaneously.

The Guard allocates, by default, 5 MB of disk space for manual packet-dump capture files of all zones. It can save up to 50 MB of manual automatic packet-dump capture files of all zones. To free disk space for additional packet-dump capture files, delete old ones.

Enabling or Disabling Automatic Packet-Dump Capture

You configure the auto packet-dump feature to be either on or off. When you set auto packet-dump to on, the Guard constantly records the zone traffic.

To configure the setting of the auto packet-dump feature:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > General from the zone main menu. The General screen appears, displaying the current zone configuration.

Step 3 Click Config. The Config screen appears.

Step 4 From the Packet-Dump parameters area of the Zone Form, click one of the following options:

•On—Enables the automatic packet-dump capture function

•Off—Disables the automatic packet-dump capture function

Step 5 Enter the maximum amount of disk space to be used for the packet-dump. Disk space is defined in megabytes (MB).

Step 6 Click one of the following options:

•OK—Saves the auto packet-dump setting as part of the zone configuration. If you enabled the automatic packet-dump capture function, the Guard begins recording all zone traffic.

•Clear—Reverts the form information back to the default values and clears any information you added.

•Cancel—Exits the Config screen without saving any information.

---

Managing Manual Packet-Dump Captures

The procedures in this section describe how to control when the Guard begins and ends a manual packet-dump capture. You can activate only one manual packet-dump capture per zone, which can be done in combination with an automatic packet-dump capture.

The Guard allocates by default, 5 GB of disk space for the manual packet-dump capture files of all zones. It can save up to 50 GB of manual and automatic packet-dump capture files of all zones. To free disk space for additional packet-dump capture files, delete any packet-dump capture files you no longer need (see the "Deleting a Packet-Dump Capture File" section).

This section contains the following procedures:

•Starting a Manual Packet-Dump Capture

•Stopping a Manual Packet-Dump Capture

Starting a Manual Packet-Dump Capture

The zone must be active (learning zone traffic or protecting the zone) before you can start a manual packet-dump capture.

To start a manual packet-dump capture:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Start Packet-Dump from the zone main menu. The Start Packet-Dump screen appears.

Step 3 Configure the parameters of the packet-dump capture. Table 11-1 describes the parameters listed in the Start Packet-Dump Form.

Table 11-1 Start Packet-Dump Form Parameters 

Parameter	Description
Capture name	Name assigned to packet-dump. Enter an alphanumeric string from 1 to 63 characters in length. The string can contain underscores, but cannot contain spaces.
Packet-Dump filter	(Optional) Filter you define to specify the traffic to record. The Guard captures only traffic that complies with the filter expression. The expression rules are identical to the Flex-Content filter expression rules (see the "Understanding the Flex-Content Expression Syntax" in "Configuring Zone Filters").
Dispatch value	Zone traffic the Guard captures. Select the traffic type from the drop-down list: •All—Capture all traffic. •Forwarded—Capture only legitimate traffic that the Guard forwards on to the zone. •Dropped—Capture only traffic that the Guard dropped. •Replied—Capture only the traffic that the Guard anti-spoofing and anti-zombie features send back to the source in a verification attempt.
Sample rate	Sample rate in pps. Enter a value from 1 to 10000. The Guard supports a maximum accumulated packet-dump capture rate of 10000 packets per second for all concurrent manual captures. A packet-dump capture that you configure with a high sample-rate value is resource consuming. Use high sample rate values cautiously due to the potential performance penalty.
Number of packets	Number of packets to record. When the Guard records the number or packets you specify, it stops the manual packet-dump capture and saves the information in the capture buffer to a file. Enter an integer from 1 to 5000.

Step 4 Click one of the following options:

•OK—Saves the manual packet-dump capture parameters. The Guard begins capturing and recording the information to the local database.

•Clear—Reverts the form information back to the default values and clears any information you added.

•Cancel—Exits the Start Packet-Dump screen without saving any information.

---

Stopping a Manual Packet-Dump Capture

The Guard stops a manual packet-dump capture when it records the number of packets you specified when you activated the capture. However, you can stop a manual packet-dump capture before the Guard records the specified number of packets.

To stop a manual packet-dump capture:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Stop Packet-Dump from the zone main menu. The Guard stops the manual packet-dump capture.

---

Viewing Packet-Dump Captures

The procedures in this section describe how to access the various packet-dump capture viewing options, including viewing the details of a packet-dump capture or comparing the results of two packet-dump captures.

This section contains the following procedures:

•Viewing the Packet-Dump Capture List

•Viewing the Packet-Dump Capture Details

•Changing the Packet-Dump Capture Details Screen View

•Comparing Two Packet-Dump Captures

Viewing the Packet-Dump Capture List

To view the list of packet-dump captures:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet dump list from the zone main menu. The Packet-Dump list screen appears.

---

Table 11-2 describes the fields of the packet-dump list.

Table 11-2 Packet-Dump List 

Field	Description
Name	Name assigned to the packet-dump capture.
Start Time	Date and time the packet-dump capture began.
Stop Time	Date and time the packet-dump capture ended.
Type	Type of packet-dump capture (automatic or manual)
Size	Size of the file generated by the packet-dump capture.
Packet Dump Filter	User-defined filter the Guard applies to the information it records to the capture file.
Dispatch	Traffic type the Guard recorded: •All—All traffic. •Dropped—Only traffic that the Guard dropped. •Forwarded—Only legitimate traffic that the Guard forwards on to the zone. •Replied—Only the traffic that the Guard anti-spoofing and anti-zombie features send back to the source in a verification attempt.

Table 11-3 describes the function buttons of the Packet-Dump list screen.

Table 11-3 Packet-Dump List Function Buttons 

Button	Description
Stop/Start	Controls the manual packet-dump operation. This button toggles between Stop and Start depending on the current operating status of the manual packet-dump feature. Click: •Start—Begins a manual packet-dump capture. This button displays only when there is no manual packet-dump capture currently running. •Stop—Ends the current manual packet-dump capture. This button displays only when there is a packet-dump capture currently running.
View	Displays the detailed information of up to two packet-dump captures (see the "Viewing the Packet-Dump Capture Details" and "Comparing Two Packet-Dump Captures" sections).
Rename	Applies a new file name to a packet-dump capture (see the "Renaming a Manual Packet-Dump Capture File" section).
Copy	Copies a packet-dump capture (see the "Saving a Complete Copy of a Packet-Dump Capture" section).
Export/Import	Uploads or downloads a packet-dump capture (see the "Exporting a Packet-Dump Capture File" and "Importing a Packet-Dump Capture File" sections).
Delete	Removes a packet-dump capture from the list and the database (see the "Deleting a Packet-Dump Capture File" section).

Viewing the Packet-Dump Capture Details

To view the details of a packet-dump capture:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet dump list from the zone main menu. The Packet-Dump list screen appears.

Step 3 Select the check box next to the packet-dump capture to view.

Step 4 Click View. The Packet-Dump capture analysis screen appears. For details on applying a screen filter to the information displayed, see the "Changing the Packet-Dump Capture Details Screen View" section.

---

Table 11-4 describes the information the Guard displays in the Capture and View parameter areas of the Packet-Dump capture analysis screen.

Table 11-4 Packet-Dump Capture and View Parameters 

Screen Area or Button	Parameter	Description
Capture parameters	Name	Name of the capture file.
	Start time	Begin time of the capture.
	End time	End time of the capture.
	Packets	Number of packets the Guard recorded during the capture time period.
	Packet Dump filter	User-defined filter the Guard applies to the information it records to the capture file.
	Dispatch	Traffic type the Guard recorded: •All—All traffic. •Dropped—Only traffic that the Guard dropped. •Forwarded—Only legitimate traffic that the Guard forwards on to the zone. •Replied—Only the traffic that the Guard anti-spoofing and anti-zombie features send back to the source in a verification attempt.
View Parameters	Query	Data profile the Guard uses for displaying the capture information: •Top 20: SrcIP / DstIP / SrcPort / DstPort / Protocol •Distribution: SrcIP / DstIP / SrcPort / DstPort / SrcReservedPorts / DstReservedPorts / Protocol / TTL / Length •Packets list See Table 11-5 for details on the information the Guard displays for each of the query types.
	Display filter	User-defined filter that specified the packet-dump capture information to display.
	Change View button	Changes the view parameters (see the "Changing the Packet-Dump Capture Details Screen View" section).
Save button		Saves a copy of the packet-dump capture to a different file name (see the "Saving a Complete Copy of a Packet-Dump Capture" section).
Extract Signatures button		Extracts the traffic signature from the packet-dump capture (see the "Extracting a Packet-Dump Capture Signature" section).

Table 11-5 describes the capture information the Guard displays depending on the query type you select (see the "Changing the Packet-Dump Capture Details Screen View" section).

Table 11-5 Capture Parameters Table and Graph Details 

Query Type	Parameter	Description
Top 20: SrcIP / DstIP / SrcPort / DstPort / Protocol	#	Sequential number the Guard assigns to each incident it records during the packet-dump capture
	Key	IP address, port number, or protocol number (depending on the Top 20 query type you select)
	Packets	Number of packets in the packet-dump capture
	%	Percentage of packets in the capture that relate to the Top 20 key
Distribution: SrcIP / DstIP / SrcPort / DstPort / SrcReservedPorts / DstReservedPorts / Protocol / TTL / Length	x-axis	Units of the distribution attribute you select, such as IP address, port number, or protocol number
	y-axis	Number of packets related to the distribution attribute
Packets List	#	Sequential number the Guard assigns to each incident it records during the packet-dump capture
	Time	Time the packet-dump incident occurred
	ScrIp	Source IP address of the packets
	ScrPort	Source port of the packets
	DstIp	Destination IP address of the packets
	DstPort	Destination port of the packets
	Protocol	Protocol (number) used by the packets
	Info	Additional packet information.

---

Note To sort the information in a Top 20 table and a Packets List table according to column information, click on the table column header.

---

Changing the Packet-Dump Capture Details Screen View

To change the view of the Packet-Dump Capture details screen:

---

Step 1 From the Packet-Dump Capture details screen, click Change View. The Change Packet-Dump View Parameters window opens.

Step 2 Configure the viewing parameters of the packet-dump capture. Table 11-1 describes the parameters of the Change Packet-Dump View Parameters form.

Table 11-6 Change Packet-Dump View Parameters 

Parameter	Description
Query	Data profile to display, which also determines the format of the display (table or graph). Select a profile to use from the Query drop-down list: •TOP 20: SrcIP / DstIP / SrcPort / DstPort / Protocol— Displays the top 20 incidents related to the selected Query attribute, such as source IP address (SrcIP) or destination port (DstPort). The information displays in a table format. •Distribution: SrcIP / DstIP / SrcPort / DstPort / SrcReservedPorts / DstReservedPorts / Protocol / TTL / Length—Displays a graph indicating how the packets are distributed across the selected Query attribute. •Packet View—Displays packet details, such as source and destination IP addresses, and source and destination ports. The information displays in a table format.
Display filter	(Optional) User-defined filter that specifies the packet-dump information to display. The display filter expression rules are identical to the Flex-Content filter expression rules (see the "Understanding the Flex-Content Expression Syntax" section in "Configuring Zone Filters"). Enter the display filter to use.
Display pattern	(Optional) Regular expression data pattern to match with the packet content (see the "Understanding the Flex-Content Filter Pattern Syntax" section in "Configuring Zone Filters"). Enter the display pattern to use.
Start offset	(Optional) Offset, in bytes, from the beginning of the packet payload, where the pattern-matching begins. The default is 0 (the start of the payload). Enter the start offset to use.
End offset	(Optional) Offset, in bytes, from the beginning of the packet payload, where the pattern-matching ends. The default is the packet length (the end of the payload). Enter the end offset to use.

Step 3 Click one of the following options:

•OK—Saves the view parameters. The Guard updates the packet-dump capture details screen based on the view parameters you selected.

•Clear—Reverts the form information back to the default values and clears any information you added.

•Cancel—Closes the View Parameter window without saving any information.

---

Comparing Two Packet-Dump Captures

To compare the details of two packet-dump captures:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet dump list from the zone main menu. The Packet-Dump list screen appears.

Step 3 Click the check boxes next to the packet-dump capture to view as the base capture.

Step 4 Click the check boxes next to the packet-dump capture to view as the reference capture.

Step 5 Click View. The Packet-Dump capture analysis screen appears, displaying the details of the base and reference packet-dump captures.

Step 6 (Optional) Click Swap Base and Reference to switch the two packet captures, making the base capture the reference capture and the reference capture the base capture. Use this function when extracting a signature (the Guard extracts the signature from the base capture). For information on extracting a signature, see the "Extracting and Using Packet-Dump Signatures" section.

---

For a description of the information the Guard displays in the Packet-Dump capture analysis screen, see the "Viewing the Packet-Dump Capture Details" section.

Managing Packet-Dump Capture Files

This section includes the following procedures:

•Renaming a Manual Packet-Dump Capture File

•Saving a Complete Copy of a Packet-Dump Capture

•Saving a Filtered Copy of a Packet-Dump Capture File

•Exporting a Packet-Dump Capture File

•Importing a Packet-Dump Capture File

•Deleting a Packet-Dump Capture File

Renaming a Manual Packet-Dump Capture File

You can only rename a manual packet-dump capture.

To rename a manual packet-dump capture:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet dump list from the zone main menu. The Packet-Dump list screen appears.

Step 3 Click the check box next to the packet-dump capture to rename, then click Rename. The Rename window opens.

Step 4 Enter the name to apply to the packet-dump capture in the New name field. The packet-dump capture name is alphanumeric and can contain underscores and dashes, but no spaces.

Step 5 Choose one of the following options:

•OK—Saves the packet-dump capture using the new name to the local database.

•Clear—Clears the Rename Form of any information you added.

•Cancel—Closes the Rename window without saving any information.

---

Saving a Complete Copy of a Packet-Dump Capture

The Save function allows you to create a complete copy of a packet-dump capture to the local database. When you save a copy of an automatic packet-dump, the Guard saves it as a manual packet-dump file.

The save function does not delete the original packet-dump capture from the database; therefore, you must manually delete the original packet- dump capture if you need additional disk space for new captures (see the "Deleting a Packet-Dump Capture File" section).

To save a complete copy of a packet-dump capture:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet dump list from the zone main menu. The Packet-dump list screen appears.

Step 3 Select the check box next to the packet-dump capture to copy.

Step 4 Click View. The Packet-Dump capture analysis screen appears.

Step 5 Click Save. The Save window opens.

Step 6 Enter the new file name in the New name field.

Step 7 Choose one of the following options:

•OK—Saves the complete copy of the packet-dump capture to the local database.

•Clear—Clears the Save Form of any information you added.

•Cancel—Closes the Save window without saving any information.

---

Saving a Filtered Copy of a Packet-Dump Capture File

The Copy function allows to create a copy of a packet-dump capture file and apply a filter to selectively copy only a portion of the original packet-dump capture.

The copy function does not delete the original packet-dump capture from the database; therefore, you must manually delete it if you need additional disk space for new captures (see the "Deleting a Packet-Dump Capture File" section).

To save a filtered copy a packet-dump capture:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet dump list from the zone main menu. The Packet-Dump list screen appears.

Step 3 Click the check box next to the packet-dump capture to copy, then click Copy. The Copy (save as) window opens.

Step 4 Enter the name packet-dump capture copy in the New name field. The packet-dump capture name is alphanumeric and can contain underscores and dashes, but no spaces.

Step 5 (Optional) Define the filter to apply to the packet-dump capture copy if you do not want to copy the entire capture. The filter expression rules are identical to the Flex-Content filter expression rules (see the "Understanding the Flex-Content Expression Syntax" section in "Configuring Zone Filters").

Step 6 Choose one of the following options:

•OK—Saves the filtered copy of the packet-dump capture to the local database.

•Clear—Clears the Copy (save as) Form of any information you added.

•Cancel—Closes the Copy (save as) window without saving any information.

---

Exporting a Packet-Dump Capture File

You can manually export packet-dump capture files to an FTP or SFTP server. You can export a single packet-dump capture file or all packet-dump capture files of a specific zone. The Guard exports the packet-dump capture files in gzipped PCAP format with an accompanying XML file that describes the recorded data. See the Capture.xsd file that accompanies the version for a description of the XML schema.

To export a packet-dump capture:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet dump list from the zone main menu. The Packet-Dump list screen appears.

Step 3 Click the check box next to the packet-dump capture to copy to the FTP server, then click Export. (To select all of the packet-dump captures, select the check box in the table header.) The Export FTP Server Parameters window opens.

Step 4 From the Export FTP Server Parameters form, select the FTP method to use:

–FTP—File Transfer Program

–SFTP—Secure File Transfer Program

Step 5 From the Export FTP Server Parameters form, select the FTP server to use:

•Use default FTP definitions—Exports the packet-dump capture to the FTP server you defined in the Guard configuration using the CLI.

•Use temporary FTP server—Exports the packet-dump capture to an FTP server not defined in the Guard configuration. Enter the following FTP server information:

–Address—IP address of the FTP server.

–Path—Complete path to the directory on the FTP server where the Guard saves the packet-dump capture files.

–Username—(Optional) FTP server login name. The FTP server assumes an anonymous login when you do not insert a user name and will not require a password.

–Password—(Optional) Password for the remote FTP server. If you enter a user name but do not enter a password, the Guard prompts you for the password.

Step 6 Choose one of the following options:

•OK—Saves the packet-dump capture to the FTP server.

•Clear—Clears the Select FTP Server Parameters form of any information you added.

•Cancel—Closes the Export FTP Server parameters window without saving the packet- dump capture.

---

Importing a Packet-Dump Capture File

You can import packet-dump capture files from an FTP or SFTP server to the Guard. This allows you to analyze past events or compare current network traffic patterns with traffic patterns that the Guard recorded previously under normal traffic conditions. The Guard imports the packet-dump capture files in both XML and PCAP format.

To import a packet-dump capture:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet-dump list from the zone main menu. The Packet-Dump list screen appears.

Step 3 Click Import. The Import FTP Server Parameters window opens.

Step 4 From the Select FTP Server Parameters form, enter the file name of the packet-dump capture in the File name field.

Step 5 From the Select FTP Server Parameters form, select the FTP method to use:

–FTP—File Transfer Program

–SFTP—Secure File Transfer Program

Step 6 From the Select FTP Server Parameters form, select the FTP server to use:

•Use default FTP definitions—Imports the packet-dump capture from the FTP server you defined in the Guard configuration using the CLI.

•Use temporary FTP server—Import the packet-dump capture from an FTP server not defined in the Guard configuration. Enter the following FTP server information:

–Address—IP address of the FTP server.

–Path—Full path name of the packet-dump capture on the FTP server.

–Username—(Optional) FTP server login name. The FTP server assumes an anonymous login when you do not insert a user name and will not require a password.

–Password—(Optional) Password for the remote FTP server. If you enter a user name but do not enter a password, the Guard prompts you for the password.

Step 7 Choose one of the following options:

•OK—Saves the packet-dump capture to the FTP server.

•Clear—Clears the Select FTP Server Parameters form of any information you added.

•Cancel—Closes the export FTP Server parameters window without saving the packet-dump capture.

---

Deleting a Packet-Dump Capture File

You can only save one manual packet-dump capture file per zone and no more than 10 packet-dump capture files on the Guard. You must delete old packet-dump captures to create additional disk space for new captures.

To delete a packet-dump capture:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet-dump list from the zone main menu. The Packet-Dump list screen appears.

Step 3 Click the check box next to the packet-dump capture to delete, then click Delete. (To select all of the packet-dump captures, select the check box in the table header.) The Guard deletes the packet-dump capture from the local database.

---

Extracting and Using Packet-Dump Signatures

A signature is the common pattern that appears in the payload of attack packets within a packet-dump capture. You can activate the Guard to extract the signature of anomalous traffic and then use the signature to quickly identify future attacks of the same type. This feature allows you to detect new attacks and Internet worms even before signatures from antivirus software companies or mailing lists are published.

During the signature extraction process, the Guard uses the Flex-Content filter pattern expression syntax to generate the attack signature. This allows you use the signature as the Flex-Content filter pattern to filter out anomalous traffic. See the "Understanding the Flex-Content Filter Pattern Syntax" section in "Configuring Zone Filters" for more information.

This section contains the following procedures:

•Extracting a Packet-Dump Capture Signature

•Extracting a Packet-Dump Capture Signature Using a Reference Capture

•Adding an Attack Signature to a Flex-Content Filter

Extracting a Packet-Dump Capture Signature

To extract an attack signature:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet dump list from the zone main menu. The Packet-Dump list screen appears.

Step 3 Click the check box next to the packet-dump capture from which to extract the signature, then click View. The Packet-Dump capture analysis screen appears.

Step 4 Click Extract Signatures. The Guard extracts the signatures from the packet dump and opens the Packet-Dump signature extraction window. Table 11-7 describes the signature information the Guard displays in the Packet-Dump signature extraction window.

Table 11-7 Packet-Dump Signature Extraction Parameters 

Parameter	Description
Capture name	Name of packet-dump capture from which the Guard extracted the signature.
Pattern	List of the patterns (in an abbreviated format) that the Guard extracted from the packet-dump capture. Mouse over the pattern to display the complete pattern.
Start offset	Offset, in bytes, from the beginning of the packet payload, where the pattern-matching begins. The default is 0 (the start of the payload).
End offset	Offset, in bytes, from the beginning of the packet payload, where the pattern-matching ends. The default is the packet length (the end of the payload).

---

To add one of the signatures the Guard displays to a Flex-Content filter, see the "Adding an Attack Signature to a Flex-Content Filter" procedure.

Extracting a Packet-Dump Capture Signature Using a Reference Capture

You can extract a signature from a packet-dump capture file and provide another packet-dump capture file as a reference. The reference should be a capture file of traffic that was recorded during normal traffic conditions. The Guard specifies the percentage of times that the signature is present in traffic that was recorded during normal traffic conditions. If the attack signature appears in a high percentage in traffic that was recorded during normal traffic conditions, it may not indicate the pattern of an attack.

To extract an attack signature using a reference file:

---

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Diagnostics > Packet dump list from the zone main menu. The Packet-Dump list screen appears.

Step 3 Click the check box next to the packet-dump capture to use as the base capture.

Step 4 Click the check box next to the packet-dump capture to use as the reference capture, then click View. The Packet-Dump capture analysis screen appears.

Step 5 (Optional) Click Swap Base and Reference to switch the two packet captures, making the base capture the reference capture and the reference capture the base capture. The Guard extracts the signature from the base capture.

Step 6 Click Extract Signatures. The Guard extracts the signatures from the base packet dump and opens the Packet-Dump signature extraction window. Table 11-7 describes the signature information the Guard displays in the Packet-Dump signature extraction window.

Table 11-8 Packet-Dump Signature Extraction Parameters 

Parameter	Description
Capture name	Name of packet-dump capture from which the Guard extracted the signature.
Pattern	List of the patterns (in an abbreviated format) that the Guard extracted from the packet-dump capture. Mouse over the pattern to display the complete pattern.
Start offset	Offset, in bytes, from the beginning of the packet payload, where the pattern-matching begins. The default is 0 (the start of the payload).
End offset	Offset, in bytes, from the beginning of the packet payload, where the pattern-matching ends. The default is the packet length (the end of the payload).

---

To add one of the signatures the Guard displays to a Flex-Content filter, see the "Adding an Attack Signature to a Flex-Content Filter" procedure.

Adding an Attack Signature to a Flex-Content Filter

The Guard allows you to construct a Flex-Content filter using a signature it extracts from the packet-dump capture. You can then use the Flex-Content filter to block zone traffic that matches the attack signature.

To add an attack signature to a Flex-Content filter:

---

Step 1 Use one of the following procedures to extract the signatures from a packet-dump capture:

•Extracting a Packet-Dump Capture Signature

•Extracting a Packet-Dump Capture Signature Using a Reference Capture

Step 2 From the Packet-Dump signature extraction window, select the signature to use in the Flex-Content filter.

Step 3 Click Add. The Flex-Content Filters > Add filters- step 2 screen appears.

Step 4 Configure the Flex-Content filter parameters. Table 11-1 describes the filter parameters listed in the Flex-Content Filter Form.

Table 11-9 Flex-Content Filter Parameters 

Parameter	Description
Description	Text describing the Flex-Content filter.
Protocol	Processes traffic using a specific protocol. Enter a protocol number from 0 to 255. To specify any protocol type, enter an asterisk (*). Refer to the Internet Assigned Numbers Authority (IANA) Web site for a list of valid protocol numbers: http://www.iana.org/assignments/protocol-numbers
Dst Port	Processes traffic flowing to a specific destination port. Enter a destination port number from 0 to 65535. To specify any destination port, enter an asterisk (*). Refer to the Internet Assigned Numbers Authority (IANA) Web site for a list of valid port numbers: http://www.iana.org/assignments/port-numbers
Expression	Filters traffic according to the specified expression.The filter expression rules are identical to the Flex-Content filter expression rules (see the "Understanding the Flex-Content Expression Syntax" in "Configuring Zone Filters"). Enter the expression to use.
Pattern	The Guard copies the packet-dump signature you selected into the Pattern field, which specifies the regular expression data pattern to match with the packet content.
Match Case	Specifies whether or not the data pattern expression is case-sensitive. Select the check box to define the data pattern expression as case-sensitive.
Start Offset	Specifies the offset (in bytes) from the beginning of the packet content where the pattern-matching begins. The default is 0, the start of the payload. The start offset applies to the pattern field. Enter an integer from 0 to 2047.
End Offset	Specifies the offset (in bytes) from the beginning of the packet content where the pattern-matching ends. The default is the packet length, the end of the payload. The end offset applies to the pattern field. Enter an integer from 0 to 2047.
Action	Specifies the action the Flex-Content filter performs on the traffic. Choose an action from the Action drop-down list: •count—Count the traffic flow packets that match the filter •drop—Drop the traffic flow packets that match the filter
State	Operating state of the Flex-Content filter. Choose an operating state from the State drop-down list: •enable—The Guard applies the Flex-Content filter to the traffic flow and executes the configured action when a match is found. •disable—The Guard does not apply the Flex-Content filter to the traffic flow.

Step 5 Choose one of the following options:

•OK—Saves the new Flex-Content filter. The Flex-Content filters screen appears.

•Clear—Reverts the form information back to the default values and clears any information you added.

•Cancel—Exits the Flex-Content filter screen without saving any information.

---