This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave
Contributor
‎2021-06-11 06:44 AM
Jump to solution

IPS event - Syslog over non standard ports

We have many of these events, and which i would want to get rid of.

Of course i can add an exception in IPS for this, but i would like to know if i can solve it first.

Also, how is this possible?

 

So our devices do send syslog over UDP 514, still the IPS events are triggered.

 

IPS.jpg

 

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2021-06-11 08:22 AM
Jump to solution

UDP/514 is the correct destination port for syslog traffic, but if I recall correctly the source port is supposed to be 514 as well and it is 57460 in your case which is causing the traffic be flagged by IPS.  Changing the source port to 514 on the sending system should resolve this.

If that is not feasible, there doesn't seem to be a way to add acceptable custom source ports to IPS for that syslog signature that I can see, so your best course of action here is probably an exception against this specific IPS signature for the sending server.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

View solution in original post

2 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-06-11 08:22 AM
Jump to solution

UDP/514 is the correct destination port for syslog traffic, but if I recall correctly the source port is supposed to be 514 as well and it is 57460 in your case which is causing the traffic be flagged by IPS.  Changing the source port to 514 on the sending system should resolve this.

If that is not feasible, there doesn't seem to be a way to add acceptable custom source ports to IPS for that syslog signature that I can see, so your best course of action here is probably an exception against this specific IPS signature for the sending server.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
Dave
Contributor
‎2021-06-14 06:32 AM
In response to Timothy_Hall
Jump to solution

Hi Timothy,

I was under the impression that only the destination port had to match.

Thanks for your insight and info.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events