I should have specified.... I am running 80.30

Hi Tim,

I see what you mean about the up arrow and that makes sense.  What still doesn't make sense to me is my hosts IP is the 4.30.x.x.  If this is outbound traffic shouldn't the 4.30.x.x IP show as the source?

Thank you!

I think this strangeness you are seeing may be caused by how different applications behave.  Some are "client talks first" and some are "server talks first".  An example of "server talks first" is FTP, once the TCP 3-way handshake is complete the server presents a 220 banner first then the client replies with USER.  An example of "client talks first" is HTTP, where after the TCP 3-way handshake is complete the client issues an HTTP verb to the server and the server responds.  Perhaps this detection happened in a "server talks first" scenario where your client initiated the connection, but there wasn't any data to make the detection until the server talked back first inbound.

A little-known fact covered in my 2021 IPS/AV/ABOT Video Series is that if the TP action is Detect and "Packet Capture" is set (as in your case), you can get up to 100KB of packets in the capture if the connection continues, whereas you will normally only get one offending packet if the action is Prevent.  This behavior when Detect is set gives additional context, but can make figuring out the offending packet a bit tougher.  See here for more reading: sk148492: Packet capture for IPS logs with "Prevent" or "Detect" actions does not show the desired n...

Given what I've stated above, does what you are seeing in the packet capture make more sense now?

Hi Tim,

Yes, that makes sense with the FTP server talk first example.  What about DNS queries?  From what I understand that is a "client talk first", right?

I replicated this scenario in my lab and ABOT performs the same way.  If I make a DNS query to a known malicious site to a DNS server that sits behind my lab gateways Check Point's ABOT "prevents" it.  In my lab I changed ABOT from detect to prevent and I do see the difference in fewer packets captured.  In this DNS query example I now only see 1 packet which must be the offending packet.  The pcap shows the offending packet with a source IP of the host "outside/external" to my gateways.

DNS is indeed a client talks first protocol and detection can happen on the very first packet because there is no handshaking with UDP, and it sounds like you are seeing what you should in regards to how many packets are captured with Detect vs. Prevent.

Why would a inbound DNS request on a external interface be looked at by Anti Bot?

@Timothy_Hall Does AB ever inspect inbound DNS traffic? I think I see what Mike is talking about as the source/destination IP addresses make it seem like this is external --> internal traffic.

If an internal client makes a DNS lookup request for a site name and the outbound DNS request does not run afoul of Domain Reputation, the IP provided in the inbound DNS response would then need to be checked by Anti-bot for IP reputation.  Or perhaps Anti-bot waits until the actual outbound connection request to the resolved IP, and then applies the IP Reputation check at that point?  This latter scenario is heavily implied in the "Reputation Layer" section of the ATRG for AV/ABOT, but I'm not 100% sure about this and we'll probably need someone in R&D to comment.  Tagging @PhoneBoy 

It would make sense that'd we catch the DNS reply before we make the actual IP connection.
Maybe @TP_Master or someone on the team knows for sure.

Hi Damon, it's not the reply Check Point is catching.  My system actually never sends a reply.  It is the initial DNS query inbound that Check Point is catching.

Then...you have your answer 😉

Interesting, thanks for the follow-up.