Re: Obfuscated mail alerts

HristoGrigorov · ‎2020-09-08

So, how am I supposed to read such obfuscated mail alerts?

HeaderDateHour: 9Sep2020 7:23:49; ContentVersion: 5; hll_key: 8473581293994328681; Uuid: {0x5f5858d5,0x0,0x98c0a8c0,0x2288}; SequenceNum: 3; Action: redirect; Origin: FW-EXT; IfDir: <; InterfaceName: eth1.352; Alert: mail; OriginSicName: CN=FW-EXT,O=CPSMS..kg4oq9; duration: 0:00:00; last_hit_time: 9Sep2020 7:23:49; update_count: 1; creation_time: 9Sep2020 7:23:49; connection_count: 1; aggregated_log_count: 1; file_count: 1; src: ******; dst: 205.185.216.42; proto: tcp; protocol: HTTP; sig_id: 0; service_id: http; UP_match_table: TABLE_START; ROW_START: 0; match_id: 16; layer_uuid: 9423cebf-45b3-4e4c-b1bb-2e7b7b3dc585; layer_name: EXTERNAL Network; rule_uid: 207e0d97-511c-4d74-865f-f1e736142245; rule_name: ******; ROW_END: 0; ROW_START: 1; match_id: 67108874; layer_uuid: d3d0f35b-398c-43cd-97b3-bf3cf9ab0e17; layer_name: WEB Control Layer; rule_uid: 22e7177c-c98e-4122-80ec-efb94f07ee36; rule_name: ******; ROW_END: 1; UP_match_table: TABLE_END

; UP_action_table: TABL

_START; ROW_START: 0; action: 8; ROW_END: 0; ROW_START: 1; action: 50; ROW_END: 1; UP_action_table: TABLE_END; UP_parent_id_table: TABLE_START; ROW_START: 0; parent_rule: 0; ROW_END: 0; ROW_START: 1; parent_rule: 16; ROW_END: 1; UP_parent_id_table: TABLE_END; aggregated_data_type_table: TABLE_START; ROW_START: 0; data_type_name: Executable File; ROW_END: 0; aggregated_data_type_table: TABLE_END; aggregated_file_table: TABLE_START; ROW_START: 0; file_name: windows-kb890830-x64-v5.83_fede0eab17a3acf1aa945b14f37324ae6a8f6fc6.exe; file_type: Executable; ROW_END: 0; aggregated_file_table: TABLE_END; UP_alert_hll_table: TABLE_START; ROW_START: 0; alert: mail; ROW_END: 0; UP_alert_hll_table: TABLE_END; src_user_name: ******; src_machine_name: ******; user: ******; ProductName: Content Awareness; svc: http; ProductFamily: Network;

Those ****** are me replacing some private data.

_Val_ · ‎2020-09-09

Could you elaborate maybe? Scenario, tools in use, goals in hands?

HristoGrigorov · ‎2020-09-09

This is a mail alert for a rule. I tried it for different types of rules and it is always coming like that. Not easy to read and understand. If not a well formatted HTML message, I expect at least CRLF after each ";" and possibly stripped out unnecessary text such as TABLE_START, TABLE_END, etc. In the perfect case it shall be possible for the admin to modify standard template to his/her own needs. This is probably good format for log record but not for mail alert.

I am actually surprised to be the only one here bothered by this 😀

ED · ‎2020-09-09

Hi Hristo,

You are not the only one 🙂 It would be great if it could be better formatted in order to read it easily or a template that we can modify as you suggest. Doesn't look much better for a policy install:

HeaderDateHour: 8Sep2020 14:01:03; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 1; Action: ; Origin: ****; IfDir: <; IfName: N/A; Alert: mail; OriginSicName: N/A; System Alert message: A Firewall Policy has been s uccessfully installed on *****; Object: *****; Event: Change; Parameter: policy_time; Condition: changes Tue Sep 8 10:51:44 2020; Current value: Tue Sep 8 14:00:17 2020; ProductName: System Monitor; ProductFamily: Network;

_Val_ · ‎2020-09-10

I understand this is a copy/paste from the email alert you get. Can you please also post a screenshot of how that email actually looks?

ED · ‎2020-09-10

The email looks like this

Notice that if I had used the whole width of my screen it would be strected in to two lines.

Danny · ‎2020-09-10

Hi @_Val_ ,

an email screenshot can be found in this thread.

We have discussed this formatting issue here many times before:

IPS mail alerts and SmartEvent mail alerts are readable out-of-the-box while standard mail alerts as triggered from within the rulebase are not thus forcing end users to fall back to create their own script and set this as custom alert.

_Val_ · ‎2020-09-10

Thanks, @Danny it is clear. I have asked the relevant team to look into this. Please allow them some time to respond.

_Val_ · ‎2020-09-10

Also, @HristoGrigorov & @ED, could you please explain the whole story from the beginning? Please take a specific mail alert, show how it is configured and what are the results. This way it will be easier to pass it to developers to address.

HristoGrigorov · ‎2020-09-10

Sure, but I need e-mail address to avoid confidential info disclosure here.

_Val_ · ‎2020-09-10

vloukine@checkpoint.com

But I think I have enough info from Danny's respond above already.

Are you a member of CheckMates?

Obfuscated mail alerts