topic using IPS engine for replaying older traffic in Off Topic https://community.checkpoint.com/t5/Off-Topic/using-IPS-engine-for-replaying-older-traffic/m-p/160688#M121 <P>My security team wants to be able to replay traffic (I don't know how they would) from the past to see what got thru before Check Point started preventing traffic.&nbsp; For damage control and auditing.&nbsp; &nbsp;I responded that we have logs, we don't have the traffic.&nbsp; But I am curious RE: forensics how teams go back and look for damage even a month before detection.</P> <P>Also, this question came up because they want to look for clues in old logs.&nbsp; Does Check Point show what they are checking for pattern management detection?&nbsp; I assume no - it's proprietary like the KFC recipe.</P> <P>&nbsp;</P> Fri, 28 Oct 2022 15:32:54 GMT Daniel_Kavan 2022-10-28T15:32:54Z using IPS engine for replaying older traffic https://community.checkpoint.com/t5/Off-Topic/using-IPS-engine-for-replaying-older-traffic/m-p/160688#M121 <P>My security team wants to be able to replay traffic (I don't know how they would) from the past to see what got thru before Check Point started preventing traffic.&nbsp; For damage control and auditing.&nbsp; &nbsp;I responded that we have logs, we don't have the traffic.&nbsp; But I am curious RE: forensics how teams go back and look for damage even a month before detection.</P> <P>Also, this question came up because they want to look for clues in old logs.&nbsp; Does Check Point show what they are checking for pattern management detection?&nbsp; I assume no - it's proprietary like the KFC recipe.</P> <P>&nbsp;</P> Fri, 28 Oct 2022 15:32:54 GMT https://community.checkpoint.com/t5/Off-Topic/using-IPS-engine-for-replaying-older-traffic/m-p/160688#M121 Daniel_Kavan 2022-10-28T15:32:54Z Re: using IPS engine for replaying older traffic https://community.checkpoint.com/t5/Off-Topic/using-IPS-engine-for-replaying-older-traffic/m-p/160719#M122 <P>Replaying traffic in a lab environment is one thing but as you say where is the traffic capture coming from as we don't blindly store it?</P> <P>Refer: tcpreplay tool&nbsp;</P> <P>&nbsp;</P> <P>Horizon NDR might be something the team is interested in investigating further.</P> Sat, 29 Oct 2022 01:41:45 GMT https://community.checkpoint.com/t5/Off-Topic/using-IPS-engine-for-replaying-older-traffic/m-p/160719#M122 Chris_Atkinson 2022-10-29T01:41:45Z