https://community.checkpoint.com/t5/General-Topics/IPS-Prevent-with-wrong-signature/m-p/82249#M16630 Hi Timthy_Hall<BR /><BR />Thank you for sharing.<BR /><BR />I appreciate your comment. Fri, 17 Apr 2020 14:48:51 GMT Sarm_Chanatip 2020-04-17T14:48:51Z https://community.checkpoint.com/t5/General-Topics/IPS-Prevent-with-wrong-signature/m-p/81410#M16442 <P>Hi Guys,</P><P>&nbsp;</P><P>I had a chance to test IPS functional with detecting or preventing in R80.30 version, so my experiment is to use the Metasploit tool in kali with Exploit Eternalblue.</P><P>&nbsp;</P><P>After exploited successfully, found that the security gateway was able to block some malicious code with IPS module but the signature is being shown on the screenshot below is MS10-012 ( Microsoft SMB server race condition denial of service)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="cp-1.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5472iA29A3BB4EDB5ACFA/image-size/large?v=v2&amp;px=999" role="button" title="cp-1.png" alt="cp-1.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Actually it should be prevented with MS17-010 (SMB Remote Code Execution)&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="cp-2.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5473iAE5B8DD9C403EA53/image-size/large?v=v2&amp;px=999" role="button" title="cp-2.png" alt="cp-2.png" /></span></P><P>&nbsp;</P><P>Does anyone here explain to me regarding this behavior?</P><P>&nbsp;</P><P>Thank you in advance.</P><P>&nbsp;</P><P>Regards,</P><P>Sarm</P> Thu, 09 Apr 2020 07:56:18 GMT https://community.checkpoint.com/t5/General-Topics/IPS-Prevent-with-wrong-signature/m-p/81410#M16442 Sarm_Chanatip 2020-04-09T07:56:18Z https://community.checkpoint.com/t5/General-Topics/IPS-Prevent-with-wrong-signature/m-p/81529#M16470 Does anyone know? Fri, 10 Apr 2020 07:49:48 GMT https://community.checkpoint.com/t5/General-Topics/IPS-Prevent-with-wrong-signature/m-p/81529#M16470 Sarm_Chanatip 2020-04-10T07:49:48Z https://community.checkpoint.com/t5/General-Topics/IPS-Prevent-with-wrong-signature/m-p/81545#M16476 <P>First off, the firewall blocked it correctly so it doesn't really matter which IPS signature got matched.&nbsp;</P> <P>But to answer your question if I am reading the CVEs correctly, MS10-012 (Microsoft SMB server race condition denial of service- CVE-2010-0021) was the ability to corrupt and crash the system (DoS) through a vulnerability in the SMB v1 server and was revealed in 2010.&nbsp; MS17-010 (SMB Remote Code Execution - CVE-2017-0143) appears to be very similar in that it is the weaponization of that earlier vulnerability in 2017 that can execute arbitrary code via SMB v1, instead of just cause a DoS.&nbsp; So to me it looks like the same vulnerability with just different outcomes (DoS in 2010 vs. running arbitrary code in 2017).&nbsp; In that case it would make sense that the 2010 IPS signature would get triggered, even though your kit was attempting the 2017 code exploit as they are basically the same thing, just different outcomes.&nbsp; I don't think your exploit got far enough to inject the arbitrary code before the 2010 IPS signature was triggered and stopped it.</P> <P>Check out this other CheckMates thread which is very similar to your situation:</P> <H2 class="message-subject"><SPAN class="lia-message-read"><A id="link_12" class="page-link lia-link-navigation lia-custom-event" href="https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/IPS-signature-does-not-match-with-attack-type/m-p/56354?search-action-id=14198697978&amp;search-result-uid=56354" target="_blank">IPS <SPAN class="lia-search-match-lithium">signature</SPAN> <SPAN class="lia-search-match-lithium">does</SPAN> <SPAN class="lia-search-match-lithium">not</SPAN> <SPAN class="lia-search-match-lithium">match</SPAN> <SPAN class="lia-search-match-lithium">with</SPAN> <SPAN class="lia-search-match-lithium">attack</SPAN> <SPAN class="lia-search-match-lithium">type</SPAN></A></SPAN></H2> <P>&nbsp;</P> Fri, 10 Apr 2020 12:38:59 GMT https://community.checkpoint.com/t5/General-Topics/IPS-Prevent-with-wrong-signature/m-p/81545#M16476 Timothy_Hall 2020-04-10T12:38:59Z https://community.checkpoint.com/t5/General-Topics/IPS-Prevent-with-wrong-signature/m-p/82249#M16630 Hi Timthy_Hall<BR /><BR />Thank you for sharing.<BR /><BR />I appreciate your comment. Fri, 17 Apr 2020 14:48:51 GMT https://community.checkpoint.com/t5/General-Topics/IPS-Prevent-with-wrong-signature/m-p/82249#M16630 Sarm_Chanatip 2020-04-17T14:48:51Z