Creating an Anomaly-based Packet Capture Task

Procedure

1. Choose Defense > Policy Settings > Packet Capture.
2. On the Packet Capture Task page, click .
3. On the Create Packet Capture Task page, select Zone Anomaly Matched from the Type drop-down list.

   

4. Set other basic parameters. For details, see Table 1.

   Table 1 Creating a packet capture task

   Parameter	Description	Reference Value
   Task Name	Indicates the packet capture task name.	The name cannot be empty or null. Characters, such as apostrophes ('), vertical bars (|), backslashes (\), commas (,), less than (<), greater than (>), ampersands (&), semicolons (;), inch marks ("), and percents (%) cannot be included.
   Sampling Ratio	Indicates the ratio of the number of packets complying with packet capture conditions to that of captured packets.	The default value is 1024:1. In this value, the device captures one packet from 1024 packets that match packet capture conditions.
   Captured Packet	If the packet capture type is Global Defense Matched or ACL Matched, the value is the sum of packets captured by the device. When the number of captured packets hits Captured Packet and a packet capture operation is complete, the packet capture task becomes in Disable state. If packets are captured on the basis of Zone Attack Matched and Zone Anomaly Matched, the number of captured packets is the number of packets (of the same attack or anomaly) captured by each CPU. For example, a device has four CPUs, Captured Packet is set to 1000. If an attack with ACK and UDP flood attack packets is launched, the packet capture result is as follows: 4 x 1000 ACK flood attack packets are captured and four packet capture files are generated. 4 x 1000 UDP flood attack packets are captured and four packet capture files are generated. After the packet capture operation is complete, the packet capture task is in Enable state. Capture packets upon the next attack.	The default value is 1000.
   Automatically extract fingerprint	Disable Enable automatic filtering	This parameter is available only when Type is set to Zone Anomaly Matched.

   After automatic fingerprint extraction is enabled and packets are captured, the ATIC management center automatically extracts fingerprints, creates a fingerprint filter, and delivers the fingerprints to all cleaning devices bound to the Zone. The conditions for extracting fingerprints are as follows:

   Parameter	Description	Reference Value
   Fingerprint Fit Rate	Indicates the matching ratio before extracting fingerprints.	The value is an integer ranging from 1 to 100, in percentage.
   Minimum Length Of Fingerprint	Indicates the minimum fingerprint length.	The value is an integer ranging from 8 to 32.
   Excluded Keyword	Indicates the keywords of legitimate services to be excluded in fingerprint learning.	-

   When the packet number of pcap files has reached the number specification, fingerprint will be extracted. Each time only one fingerprint, which has the highest hit rate, can be extracted.

   Fingerprint will be deployed as fingerprint filter to associated device. Fingerprint filter can be manually deleted.

   If the filter number has reached the upper limit, no more fingerprint filter will be created.

5. Click Next.
6. Click . Select a Zone from the Zone list and click OK to add the Zone.
7. Click Next.
8. Click , click Detection/Cleaning Device to add network elements, and click OK.
9. On the Create Packet Capture Task page, click OK.

   The Packet Capture Task page is displayed, with the packet capture task in the list.

10. Select the check box of a packet capture task and click to enable the task.
    NOTE:

    Only one anomaly-based packet capture task can be enabled for each Zone within a period of time.