admin/geedge-jira
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6a8bfef5778fc7ddd06fa05776bf1ecd0f61d4c4
geedge-jira/md/OMPUB-1479.md

123 lines
3.5 KiB
Markdown
Raw Normal View History

first
2025-09-14 21:52:36 +00:00
# 【M22项目】一个数据流同时命中allow、deny、monitor策略导致packet capture file展示出现bug
| ID | Creation Date | Assignee | Status |
|----|----------------|----------|--------|
| OMPUB-1479 | 2024-09-25T18:51:14.000+0800 | 刘洋 | 已关闭 |
---
经排查客户于2024-09-25 11:00左右生效了一个monitor策略策略详情如图该策略开启了packet capturemonitor策略日志正常显示packet capture file
!image-2024-09-25-17-10-09-940.png|width=482,height=239!
!image-2024-09-25-17-16-52-792.png|width=482,height=239!
问题1该monitor策略的条件同时命中了deny策略deny策略未开启packet capture功能但是deny策略日志显示packet capture file
!image-2024-09-25-17-18-56-484.png|width=478,height=237!
!image-2024-09-25-17-17-57-388.png|width=479,height=238!
问题2该monitor策略的条件同时命中了allow策略allow策略没有packet capture功能但是allow策略日志显示packet capture file
!image-2024-09-25-17-20-43-646.png|width=475,height=236!
!image-2024-09-25-17-20-05-584.png|width=475,height=236!
 **liuyang** commented on *2024-09-26T16:14:04.794+0800*:
问题原因:
* 一个流量会话功能端产生一条日志session record里面包含session record和event logs的所有信息。当会话同时命中allow和monitor或者deny和monitor该会话的日志信息中同时记录security rule listmonitor rule list和对应捕获的packet capture。
* 安全事件日志是过滤session recored中security rule list不为空的日志所以也就同步展示了该日志中记录的packet capture file
---
**doufenghu** commented on *2024-09-26T19:18:30.324+0800*:
* pcap_capture_file 属于会话日志的属性任意一个策略开启pcap capture功能当命中多个或多种类型策略时都显示下载pcap文件标识。建议pcap头增加策略命中信息。
* 目前遗留问题截止当地时间17:40分会话日志中还标注了已删除的监测策略ID(3705, 3707, 3709等)并且字段pcap_capture_file有文件名称并还有file chunk 写入 需功能端排查下。
---
**chengsiyuan** commented on *2024-09-26T19:35:10.813+0800*:
monitor策略3709已经被客户删除但是还在持续产生日志
目前现场monitor策略截图无3709
!image-2024-09-26-18-03-12-601.png|width=806,height=400!
!image-2024-09-26-18-02-29-841.png|width=804,height=399!
---
**chengsiyuan** commented on *2024-09-27T11:30:36.176+0800*:
经排查:
ID3709 删除时间2024-09-25 17:39:00
ID3705 删除时间2024-09-25 17:39:00
ID3707 删除时间2024-09-25 10:59:50
ID2743 删除时间2024-09-26 10:42:50
通过monitor策略按照start time查询在2024-09-26 10:42:51.632之后就没有新的monitor日志产生目前看的新收到的monitor日志都是start time在策略删除前流维持的时间比较长导致
!image-2024-09-27-10-00-23-862.png|width=627,height=311!
!image-2024-09-27-10-00-33-848.png|width=624,height=310!
---
## Attachments
**63317/image-2024-09-25-17-10-09-940.png**
---
**63316/image-2024-09-25-17-16-52-792.png**
---
**63315/image-2024-09-25-17-17-57-388.png**
---
**63314/image-2024-09-25-17-18-56-484.png**
---
**63313/image-2024-09-25-17-20-05-584.png**
---
**63312/image-2024-09-25-17-20-43-646.png**
---
**63356/image-2024-09-26-18-02-29-841.png**
---
**63357/image-2024-09-26-18-03-12-601.png**
---
**63367/image-2024-09-27-10-00-23-862.png**
---
**63368/image-2024-09-27-10-00-33-848.png**
---
Reference in New Issue Copy Permalink