Classification04/20/23
Presenter NamePresenter Title
Threat Discovery Appliance 2.0Debug feature and troubleshooting
Copyright 2007 - Trend Micro Inc.
TDA main debug UI
• Please log in TDA web console and modify the URL to:• https://[TDA_Management_IP]/html/rdqa.htm
Copyright 2007 - Trend Micro Inc.
Rule disable/enable
• Why?– TDA provide customized rule detection for customer/analyzer
• How?– URL: https://[TDA_Management_IP]/cgi-bin/cav_edit.cgi
• It will ask you to logon TDA first to avoid non-authorized communication
– Check Mark as Apply (TDA takes effect immediately)
• Note– Rule enable/disable setting will be overwritten after update
Network Content Correlation Pattern
Copyright 2007 - Trend Micro Inc.
Debug Log
• URL: https://[TDA_Management_IP]/cgi-bin/cgiSetDebugLog.cgi• It will ask you to logon TDA first to avoid non-authorized
communication
• Debug Level and Module Settings– Debug Level
• disable,0-fatal,1-error,2-warning,3-info,4-debug
– Debug Module ID • 1-cav, 3-fstream_serv, 4-mr_system_logger, 5-preconf, all
• Export Debug Log• Debug Log Maintenance (Reset Debug Log)• Note
– debug log will rotate when it reaches size of 10 M bytes.
Copyright 2007 - Trend Micro Inc.
Trouble Shooting - 1
• After TDA is deployed, check if TDA can “see” the traffic mirrored from the switch– Execute Putty to logon TDA
and execute the command:
#tcpdump –ni br0• You will find a lot of
“traffic” shown on screen. => traffic copied to TDA
Copyright 2007 - Trend Micro Inc.
Trouble Shooting - 2
• Check if packet is not dropped when mirrored to TDA– https://[TDA_Management_IP]/htm/kmod_main.html– “conntrack_count”
: concurrent connection
including all TCP state– No packet dropped :
“nr_corrupt” is 0– No packet dropped :
“ESTABLISHED” is almost equal to “conntrack_count”
Copyright 2007 - Trend Micro Inc.
Trouble Shooting - 3
• SYN_SENT: the number of TCP sessions that are in SYN_SENT state at the moment
• ESTABLISHED : the number of TCP sessions that are in ESTABLISHED state at the moment
• nr_corrupt : accumulated number of TCP sessions that are timed-out (60 seconds) in established state=> numbers of sessions that had packet dropped
client server
Data communication
1:syn : SYN_SENT
2:synack : SYN_RECV
3:ack : ESTABLISHED
Copyright 2007 - Trend Micro Inc.
Trouble Shooting - 4
• A case that TDA is “seeing”packets , however, TCP sessions is not established maybe due to asymmetric routing of the network
• TDA can not scan suchnetwork traffic
• Customer should re-considerthe position of TDA oruse 2 ports for monitoring
Copyright 2007 - Trend Micro Inc.
Known threat logging disable
• Why?– TDA can disable the log in database when it detects known
threat (VSAPI, Network Virus)– Customer doesn’t want to see duplicate detection logs before
the victim client is taken care of
• How?– URL: https://[TDA_Management_IP]/cgi-bin/cav_log.cgi
• It will ask you to logon TDA first to avoid non-authorized communication
– Select VSAPI or Network Virus then save
(TDA takes effect immediately)