Gathering Evidence
Sometimes you may want to collect information about an attack that has occurred. You might want to analyze the attack further, or perhaps you want to provide data to a law enforcement agency. In either case, there are several tools you can use to gather the appropriate data.
Firewall Logs and Counters
We discussed firewall logs and counters throughout this chapter. They provide direct information about which traffic is being accepted and denied, and how much traffic matches each filter. Using these tools, you can get a good indication of whether attacks are occurring, and capture data to use as evidence of the existence of the attack.
Port Mirroring
You can use port mirroring to capture entire packets and send a copy of them to another device. This can be very useful to gather evidence of an attack.
To configure port mirroring, you must first define parameters for how much data to capture and where to send it:
[edit]
lab@r1# show forwarding-options
port-mirroring {
family inet {
input {
rate 100;
run-length 3;
}
output {
interface fe-0/0/1.0 {
next-hop 10.10.1.1;
}
}
}
}In this example, you can see that port mirroring parameters are
configured under the forwarding-options section of the CLI. You
must define two input parameters: the rate, which is the capture sampling rate, and
the run-length, which is how many
packets are captured each time a capture is performed; for example, a
rate of 100 means a capture will be triggered for each 100 eligible
packets. A run-length ...
Get JUNOS High Availability now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
