collect-attack-evidence enable (intrusion prevention profile view)

Function

The collect-attack-evidence enable command enables attack evidence collection of intrusion prevention.

The undo collect-attack-evidence enable command disables attack evidence collection of intrusion prevention.

Format

collect-attack-evidence enable

undo collect-attack-evidence enable

Parameters

None

Views

Intrusion prevention profile view

Default Level

2: Configuration level

Usage Guidelines

The attack evidence collection function of intrusion prevention is disabled by default.

The attack evidence collection function relies on hard disks and available only when the hard disks are installed.
Attack evidence collection does not apply to HTTPS traffic.
When the TCP proxy function is enabled on a device, the attack evidence collection function is unavailable.
When the antivirus full-scan mode is enabled on the device, if the antivirus profile is referenced in the security policy matching FTP traffic, FTP traffic is processed in proxy mode by default. In this case, the intrusion prevention function cannot be used to collect attack evidence for FTP traffic.
By default, attack evidence collection has the following restrictions:
- A maximum of five attack evidence collection sessions are supported for a single signature ID on a single CPU.
- When the system memory space is less than 200 MB, the device does not collect attack evidence. When the system memory space is restored to 400 MB, the device restores attack evidence collection.
- A single CPU allows a maximum of 512 MB buffered attack evidence collection data. The maximum data volume of attack evidence that can be cached in a single session is as follows:
  - Versions earlier than V600R007C20SPC500: 100 KB. If the size of the file whose data needs to be collected exceeds 100 KB, the device does not perform attack evidence collection on the session.
  - V600R007C20SPC500 to V600R007C20SPC601 versions: 30 KB. If the size of the file whose data needs to be collected exceeds 30 KB, the device does not perform attack evidence collection on the session.
  - V600R007C20SPC602 and later versions: 10 KB. If the size of the file whose data needs to be collected exceeds 10 KB, the device does not perform attack evidence collection on the session.
If the action in the intrusion prevention profile is block, the device collects only the identified threat packets and previous packets. Subsequent packets of the same session are blocked and discarded, and therefore are not collected. If the action in the intrusion prevention profile is not block, the device collects all threat packets of the session for evidence collection.
Attack evidence collection is for troubleshooting only. Because attack evidence collection compromises system performance, you must enable it only when necessary and disable it immediately after you finish attack evidence collection.

After you enable the attack evidence collection function, the device starts to collect the packets that match the intrusion prevention profile.

One of the extreme conditions is that: The action in the intrusion prevention profile is not block and the device collects the packets that match the intrusion prevention profile. However, the storage space is insufficient after the device collects some threat packets. As a result, the device stops attack evidence collection.

Log in to the device using an auditor account, choose Monitor > Log > Threat Log, locate the entry whose Threat Type is Intrusion, click of the entry to view and download the data packets or click to directly download the packets. You can view and download the data package only when you log in to the device using an auditor account.

Example

# Enable attack evidence collection in intrusion prevention profile hello.

<sysname> system-view
[sysname] profile type ips name hello
[sysname-profile-ips-hello] collect-attack-evidence enable