This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RuiCosta
Explorer
‎2023-09-08 02:21 AM

HTTP Inspection with personalized content filter

Hi all,

we have some Microsoft packets coming form MS ISP IP addresses on HTTPS.
Those packets are originated by MS services for authentication purposes.
They are proxied through our firewall and forwarded to our onpremise federated auth infrastructure in dmz.

We receive both legitimate auth requests and brute force attacks.
The source IP addresses are ever trusted MS IPs and can not be filtered or dropped.

We would know if there is a way to enable https inspection inbound , parsing the content (the IP addreess inside the message) based on a list of IPs that we knows as malicius and we collect in other ways end finally prevent the packet from reaching the auth infrastructure


Only the checkpoint IPS  IPs reputation  may be not enough for us

(for now Microsoft says there is no ways for them to block those request......)

Many thanks 🙂

 

Rui

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-09-08 07:25 PM

How precisely is the IP encoded in the traffic?
If it's not in an IP or an HTTP header, it'll probably require an RFE.

0 Kudos
RuiCosta
Explorer
‎2023-09-11 12:36 AM
In response to PhoneBoy

Hi, tks for your answer. Unfortunately inside the body message. 
I suppose that a way must exist maybe in another blade like AV.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-11 11:07 AM
In response to RuiCosta

For Threat Prevention, you have the ability to create Snort Signatures.

0 Kudos
RuiCosta
Explorer
‎2023-09-15 01:10 AM
In response to PhoneBoy

Hi. Many thanks, I will check this feature (for me) unknown 🙂 
Bye

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 09 Jul 2024 @ 11:00 AM (CDT)

    Americas: Maestro Migration and Upgrade Best Practices
    In-Person

    Thu 11 Jul 2024 @ 10:00 AM (BST)

    CheckMates Live London

    Tue 30 Jul 2024 @ 05:00 PM (CEST)

    Under the Hood: CloudGuard Controller Unleashed
    In-Person

    Thu 11 Jul 2024 @ 10:00 AM (BST)

    CheckMates Live London
    CheckMates Events