https://community.checkpoint.com/t5/Spark-Firewall-SMB/False-positive-with-IPS-and-AntiBot-Confidence-HIGH-Medium/m-p/84707#M3513 <P>Appliance 1490, r77.20.87 Build 990172966<BR />Blades: FW, AppCtrl, URLF, ABOT, AV, IPS, RAccs and SSL Inspect<BR />Locally Managed<BR /><BR />1. Yesterday (2020-may-07) I did receive a notification in WachTower from FW about a BOT event.<BR />2. Internal host suppostly infected was hostA<BR />3. External threat host was 13.107.136.9<BR />4. Reviewing logs I found communications attempts since May 7, logged by <STRONG>IPS</STRONG> blade<BR />5. Hours later, there is a log by <STRONG>AppCtrl</STRONG> allow and identifying app <STRONG>Sharepoint-online</STRONG> on ip 13.107.136.9, that's correct.<BR />6. Then… was a log by <STRONG>Https Inspect</STRONG> with a <EM>Revoked Certificate or invalid CRL</EM> in connection to sharepoint.com (13.107.136.9).<BR />7. Again others logs by IPS equal to point 4.<BR />8. Yesterday (may-08) there is a log by <STRONG>AppCtrl</STRONG> allowing <STRONG>eBay</STRONG> app with traffic to ip 13.107.136.9!!!! <STRONG>What</STRONG>? <STRONG>Resource</STRONG> on such log can be readed as <STRONG><A href="https://hostXYZ.sharepoint.com/" target="_blank">https://hostXYZ.sharepoint.com/</A>......</STRONG> What was this confusion about? Or what am I misinterpreting? (Doubt )<BR />9. After, there are logs by IPS and AppCtrl with same data.<BR />10. Suddenly appear a log by <STRONG>ABot</STRONG> with same resource of point 8 but identifying a client type <STRONG>MicrosoftSkydriveSync</STRONG>.<BR />11. Since then, there are logs by <STRONG>FW</STRONG> blade. The strange thing about these logs is that despite the fact that the traffic originated from the internal host to the external one, it is the incoming rules that are generating it. (Doubt)</P><P><BR />Why was the appliance confused in properly diagnosing the correct application (OneDrive, no eBay) and why did it take so long to do so? Is it a common latency?</P><P>Why a incoming rule do such logs (point 11) with connection traffic originated from internal host (outgoing traffic)?</P><P>Why IPS alerted with a confidence level HIGH detecting GBU BASH threat with HostA, but HostA is a Windows host?</P><P>I know, there are so much doubts, words and&nbsp;lack of knowledge, I am reading guides but please, help me with this&nbsp; issue.</P><P>&nbsp;</P><P>I'm thinking about a false positive... but I don't be sure.&nbsp;</P><P>Thanks.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="001-ips" style="width: 924px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6023iE6B10577E11AB367/image-size/large?v=v2&amp;px=999" role="button" title="001-IPS.GIF" alt="001-ips" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">001-ips</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="002-AppC" style="width: 921px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6024i646355B025D2CFCF/image-size/large?v=v2&amp;px=999" role="button" title="002-AppCtrl.GIF" alt="002-AppC" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">002-AppC</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="003" style="width: 920px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6026i9D23720D3382C410/image-size/large?v=v2&amp;px=999" role="button" title="003-HTTPS Insp.GIF" alt="003" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">003</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="004-" style="width: 920px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6025iF1DE971F3EFC650B/image-size/large?v=v2&amp;px=999" role="button" title="004-IPS.GIF" alt="004-" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">004-</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="005-AppC-eBay????" style="width: 923px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6027i4B442CA5AC905C44/image-size/large?v=v2&amp;px=999" role="button" title="005-AppCtrl-eBay.GIF" alt="005-AppC-eBay????" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">005-AppC-eBay????</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="007-AppC-eBay again" style="width: 920px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6029i9EB26E99BAC42966/image-size/large?v=v2&amp;px=999" role="button" title="007-AppCtrl-eBay.GIF" alt="007-AppC-eBay again" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">007-AppC-eBay again</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="008-ABot" style="width: 924px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6030i758E6209B3601BA0/image-size/large?v=v2&amp;px=999" role="button" title="008-ABot-varias dudas.GIF" alt="008-ABot" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">008-ABot</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="009-outgoing traffice loggued by incoming rules?" style="width: 924px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6031i45A26E7C73CA52F2/image-size/large?v=v2&amp;px=999" role="button" title="009-FW-reglas de entrada.GIF" alt="009-outgoing traffice loggued by incoming rules?" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">009-outgoing traffice loggued by incoming rules?</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="010-AppC bye eBay, now OneDrive" style="width: 917px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6032i85EBC43E0909D1E8/image-size/large?v=v2&amp;px=999" role="button" title="010-AppCtrl-OneDrive.GIF" alt="010-AppC bye eBay, now OneDrive" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">010-AppC bye eBay, now OneDrive</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Notification of infection" style="width: 481px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6033i6DBEC582C83BDC83/image-size/large?v=v2&amp;px=999" role="button" title="notificacionBOT.GIF" alt="Notification of infection" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Notification of infection</span></span></P><P> </P><P>&nbsp;</P> Sun, 10 May 2020 02:35:15 GMT LuisSP 2020-05-10T02:35:15Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/False-positive-with-IPS-and-AntiBot-Confidence-HIGH-Medium/m-p/84707#M3513 <P>Appliance 1490, r77.20.87 Build 990172966<BR />Blades: FW, AppCtrl, URLF, ABOT, AV, IPS, RAccs and SSL Inspect<BR />Locally Managed<BR /><BR />1. Yesterday (2020-may-07) I did receive a notification in WachTower from FW about a BOT event.<BR />2. Internal host suppostly infected was hostA<BR />3. External threat host was 13.107.136.9<BR />4. Reviewing logs I found communications attempts since May 7, logged by <STRONG>IPS</STRONG> blade<BR />5. Hours later, there is a log by <STRONG>AppCtrl</STRONG> allow and identifying app <STRONG>Sharepoint-online</STRONG> on ip 13.107.136.9, that's correct.<BR />6. Then… was a log by <STRONG>Https Inspect</STRONG> with a <EM>Revoked Certificate or invalid CRL</EM> in connection to sharepoint.com (13.107.136.9).<BR />7. Again others logs by IPS equal to point 4.<BR />8. Yesterday (may-08) there is a log by <STRONG>AppCtrl</STRONG> allowing <STRONG>eBay</STRONG> app with traffic to ip 13.107.136.9!!!! <STRONG>What</STRONG>? <STRONG>Resource</STRONG> on such log can be readed as <STRONG><A href="https://hostXYZ.sharepoint.com/" target="_blank">https://hostXYZ.sharepoint.com/</A>......</STRONG> What was this confusion about? Or what am I misinterpreting? (Doubt )<BR />9. After, there are logs by IPS and AppCtrl with same data.<BR />10. Suddenly appear a log by <STRONG>ABot</STRONG> with same resource of point 8 but identifying a client type <STRONG>MicrosoftSkydriveSync</STRONG>.<BR />11. Since then, there are logs by <STRONG>FW</STRONG> blade. The strange thing about these logs is that despite the fact that the traffic originated from the internal host to the external one, it is the incoming rules that are generating it. (Doubt)</P><P><BR />Why was the appliance confused in properly diagnosing the correct application (OneDrive, no eBay) and why did it take so long to do so? Is it a common latency?</P><P>Why a incoming rule do such logs (point 11) with connection traffic originated from internal host (outgoing traffic)?</P><P>Why IPS alerted with a confidence level HIGH detecting GBU BASH threat with HostA, but HostA is a Windows host?</P><P>I know, there are so much doubts, words and&nbsp;lack of knowledge, I am reading guides but please, help me with this&nbsp; issue.</P><P>&nbsp;</P><P>I'm thinking about a false positive... but I don't be sure.&nbsp;</P><P>Thanks.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="001-ips" style="width: 924px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6023iE6B10577E11AB367/image-size/large?v=v2&amp;px=999" role="button" title="001-IPS.GIF" alt="001-ips" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">001-ips</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="002-AppC" style="width: 921px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6024i646355B025D2CFCF/image-size/large?v=v2&amp;px=999" role="button" title="002-AppCtrl.GIF" alt="002-AppC" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">002-AppC</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="003" style="width: 920px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6026i9D23720D3382C410/image-size/large?v=v2&amp;px=999" role="button" title="003-HTTPS Insp.GIF" alt="003" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">003</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="004-" style="width: 920px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6025iF1DE971F3EFC650B/image-size/large?v=v2&amp;px=999" role="button" title="004-IPS.GIF" alt="004-" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">004-</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="005-AppC-eBay????" style="width: 923px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6027i4B442CA5AC905C44/image-size/large?v=v2&amp;px=999" role="button" title="005-AppCtrl-eBay.GIF" alt="005-AppC-eBay????" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">005-AppC-eBay????</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="007-AppC-eBay again" style="width: 920px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6029i9EB26E99BAC42966/image-size/large?v=v2&amp;px=999" role="button" title="007-AppCtrl-eBay.GIF" alt="007-AppC-eBay again" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">007-AppC-eBay again</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="008-ABot" style="width: 924px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6030i758E6209B3601BA0/image-size/large?v=v2&amp;px=999" role="button" title="008-ABot-varias dudas.GIF" alt="008-ABot" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">008-ABot</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="009-outgoing traffice loggued by incoming rules?" style="width: 924px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6031i45A26E7C73CA52F2/image-size/large?v=v2&amp;px=999" role="button" title="009-FW-reglas de entrada.GIF" alt="009-outgoing traffice loggued by incoming rules?" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">009-outgoing traffice loggued by incoming rules?</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="010-AppC bye eBay, now OneDrive" style="width: 917px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6032i85EBC43E0909D1E8/image-size/large?v=v2&amp;px=999" role="button" title="010-AppCtrl-OneDrive.GIF" alt="010-AppC bye eBay, now OneDrive" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">010-AppC bye eBay, now OneDrive</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Notification of infection" style="width: 481px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6033i6DBEC582C83BDC83/image-size/large?v=v2&amp;px=999" role="button" title="notificacionBOT.GIF" alt="Notification of infection" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Notification of infection</span></span></P><P> </P><P>&nbsp;</P> Sun, 10 May 2020 02:35:15 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/False-positive-with-IPS-and-AntiBot-Confidence-HIGH-Medium/m-p/84707#M3513 LuisSP 2020-05-10T02:35:15Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/False-positive-with-IPS-and-AntiBot-Confidence-HIGH-Medium/m-p/84732#M3514 False positives do happen from time to time.<BR />Best to engage the TAC here so we can understand (and fix). Sun, 10 May 2020 15:01:43 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/False-positive-with-IPS-and-AntiBot-Confidence-HIGH-Medium/m-p/84732#M3514 PhoneBoy 2020-05-10T15:01:43Z