topic Re: smart event alerting of IPS prevent in Firewall and Security Management

smart event alerting of IPS prevent

Daniel_Kavan — Thu, 27 Feb 2020 16:02:35 GMT

I've been asked to set up an alert on traffic (even a single incident) that is prevented from an internal IP -> DMZ. This seems easy, but is not possible with Smart Event. It's rare that this traffic would be correlated, the PREVENT just shows up as a single log - type NOT correlated. THUS, the alert doesn't fire. Does anyone know if there is a way?

Creating Event Definitions (User Defined Events) - page 56 of the R77 smart event guide (I'm on R80.30, but this has the best documentation on user defined events. To create a user-defined event you must have knowledge of the method by which SmartEvent identifies events. This section starts with a high level overview of how logs are analyzed to conclude if an event occurs or occurred.

When you create a user defined event, there is a COUNT LOGS tab and inside a radio button 'single log', this NEEDs to be updated to say single correlated log for accuracy.

Re: smart event alerting of IPS prevent

PhoneBoy — Sun, 01 Mar 2020 02:34:51 GMT

You're correct in that SmartEvent only works on correlated logs.
However, what you're asking can be done outside of SmartEvent.

You can create an explicit rule for this server in your Threat Prevention policy and set the Track option to Mail and/or one of the User Alert options.
This will generate an email or run whatever script you specify on each log entry that is generated.
To configure Mail and/or User Alert options, refer to sk25941.

Re: smart event alerting of IPS prevent

_Val_ — Sun, 01 Mar 2020 18:08:23 GMT

There is a better solution for your case. Create a custom rule for Threat Prevention policy layer, put there IPs and zones you need as source and destination. Set tracking for custom alert, et voila…

Re: smart event alerting of IPS prevent

Daniel_Kavan — Mon, 02 Mar 2020 15:31:22 GMT

Thanks for these responses!

However, the 'protected scope' doesn't seem to be specific enough.

I have a very specific case - I want alert on if it's from this IP address, x.x.x.1 AND to this destination network y.y.y.0/24.

The protected scope is more of an 'either OR' not an 'AND'. IOW protected scope is if it's in/out to x.x.x.1 OR in/out to y.y.y.0/24.

Maybe, the best we can do is a twice daily report on TP associated with x.x.x.1.

Re: smart event alerting of IPS prevent

PhoneBoy — Mon, 02 Mar 2020 15:34:28 GMT

Right click on the rule headings and you can add source and destination columns.

Re: smart event alerting of IPS prevent

Daniel_Kavan — Mon, 02 Mar 2020 16:21:10 GMT

Thanks!

This will work, it looks like the limitation is you are limited to 3 custom alerts. Alert no. 1, 2, & 3.

Re: smart event alerting of IPS prevent

PhoneBoy — Mon, 02 Mar 2020 16:23:40 GMT

One called script can potentially do multiple things based on the input it receives.

Re: smart event alerting of IPS prevent

Daniel_Kavan — Mon, 02 Mar 2020 18:32:30 GMT

Is there a list somewhere that shows the stream sent when you call an alert? What input does it receive? I can write a script to use the data the script receives when an alert is generated, but what does that input/stream list look like?

I know with an email alert, a nice attachment that looks like the full record of the Prevent or Drop is sent.

However, with a script what is sent to the alert/script as input. Yes, once you have that list, I can see how you can use it in a script to parse it and do different things.

Origin: $Origin

Blade: $Blade

Action: $Action

Attack Name: $Attack_Name

Attack Information: $Attack_Info

Source: $Source

Destination: $Destination

Severity: $Severity

Re: smart event alerting of IPS prevent

PhoneBoy — Tue, 03 Mar 2020 21:09:36 GMT

If you were to look at the log entry as it's shown with either fw log or CPLogFilePrint, it would look something like that.
What is sent depends on what information is in the log.

Re: smart event alerting of IPS prevent

Daniel_Kavan — Fri, 06 Mar 2020 14:52:02 GMT

TAC found more here: https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGuide/html_frameset.htm

This show how to pull the EVENT into the script.

Re: smart event alerting of IPS prevent

Daniel_Kavan — Wed, 16 Sep 2020 17:13:06 GMT

Hi,

What scripting language/s can be used? LLast time I tried python on Gaia & tried to wanted to add new modules/libraries, CP said I would invalidate the support if I added new libraries. I think we talked about running a shell script that would call a python script on another server, but that would also involve passing the stream down to a different server.

Basically If attack_info = Zmap scan -> /dev/null, I want zmap secruity scans to be prevented but I don't want a case to fire off because of it.

Re: smart event alerting of IPS prevent

PhoneBoy — Thu, 17 Sep 2020 01:27:52 GMT

A bash script is where I would start as that doesn't require installing any other interpreters.