This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AngeloP
Participant
‎2021-12-17 02:49 AM

CheckPoint IPS blade logs to Qradar

Hello,

 

we started sending logs from CheckPoint FW to our SIEM, there seems to be a problem with logs from the IPS Blade, specifically with prevented events by Smart Defense, the logs seem to lack the "Attack Name"/"protection name" field when the action is "Prevent", therefore we can't see which signature worked. This field seems to be present in logs of events where the action is "Reject" or "Drop" for example.

 

SmartDefense Unknown:

(redacted) - [action:"Reject"; flags:"409600"; ifdir:"inbound"; ifname:"[..]"; loguid:"[..]"; origin:"[..]"; originsicname:"[..]"; sequencenum:"120"; time:"[..]"; version:"5"; __policy_id_tag:"[..]"; attack:"Microsoft Windows NT Null CIFS Sessions"; attack_info:"Blocked Null CIFS Session attempt"; confidence_level:"4"; dst:"[..]"; industry_reference:"CVE-2000-1200"; performance_impact:"2"; product:"SmartDefense"; protection_id:"asm_cifs_block_null_sessions"; protection_name:"Microsoft Windows NT Null CIFS Sessions"; protection_type:"anomaly"; proto:"6"; rule:"7"; rule_name:"Discovery scan"; rule_uid:"c55f111a-3121-4412-9af7-0b43e99c4807"; s_port:"[..]"; service:"[..]"; severity:"2"; sgm_id:"[..]"; smartdefense_profile:"[..]"; src:"[..]"; sub_policy_name:"[..]"; sub_policy_uid:"[..]"]


SmartDefense Prevent:

(redacted) - [action:"Prevent"; flags:"313600"; ifdir:"outbound"; ifname:"[..]"; loguid:"{[...]"; origin:"[..]"; originsicname:"[...]"; sequencenum:"58"; time:"[..]"; version:"5"; __policy_id_tag:"product=[..]"; dst:"[..]"; log_id:"2"; malware_rule_id:"{710D7BDC-5306-4122-ACAC-B2BAF771A620}"; method:"POST"; policy:"[..]"; policy_time:"[..]"; product:"SmartDefense"; proto:"6"; reject_id_kid:"[..]"; resource:"[..]"; rule_name:"[..]"; rule_uid:"[..]"; s_port:"[..]"; ser_agent_kid:"Other: Hello, World"; service:"80"; session_id:"[..]"; sgm_id:"[..]"; smartdefense_profile:"[..]"; src:"[..]"; layer_uuid:"[..]"; malware_rule_id:"[..]"; smartdefense_profile:"[..]"]

 

as you can see in the first case there's a lot more info, like attack, attack_info, protection_name and rule_name. Also in the first case it is categorized in Qradar as Unknown "SmartDefense Event", while in the second case the Event name is "SmartDefense Prevent". Does anyone know what can be done to fix this and for all events from the IPS Blade to have Protection_Name and attack info?

 

Also, another Question, are all events from IPS Blade Smart Defense events, or should you include explicitly another type of event in the log exporter? It seems to lack some event, while adding some events that are not from the IPS blade.

0 Kudos
3 Replies
_Val_
Admin
Admin
‎2021-12-17 11:45 AM

I am not sure if this question does belong here. More likely, you need to check with Qradar about parsing Check Point logs. 

0 Kudos
AngeloP
Participant
‎2021-12-18 02:51 AM
In response to _Val_

Hi,

 

thanks for the reply, but you can't really parse in any SIEM information that isn't there, as in its not sent by the source device. As you can see, the second log lacks the protection_name and attack_name fields, which are the most important fields really. If the company advertises that its device has IPS capabilities, it should at least generate proper logs for it. 

Is there information or a template somewhere on how the logs from the IPS blade should look like? Does anyone has experience with sending logs from checkpoint to Qradar? As in, which format is recommended, syslog, leef or cef. Lack of info in the logs is a source device problem obviously.

0 Kudos
Chris_Atkinson
Employee
Employee
‎2021-12-18 03:48 AM
In response to AngeloP

You never said where the outputs above came from?

Seem like LEEF according to the Qradar documentation.

https://www.ibm.com/docs/en/qsip/7.4?topic=configuration-check-point#c_dsm_guide_checkpoint_intro

0 Kudos
Labels