cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Scan events

Hello All,

I'm looking for some help with the following, we had a scan event on one of our SFTP edges, which uses the Check Point as it's gateway. No data exfiltration or lateral movement has been detected.

Below an example of scan in question:

 

We are looking for a possible solution on this, something like adding a dynamic blacklist, or "timeout". For example if an IP has 3+ IPS protect triggers within 5 minutes, it is automatically added to a blacklist for 7 days or indefinitely.

I'm not aware if the IPS module is able to perform such operation and as a possible solution we are considering to get a license for Smart Event, and get something like the below config:

If you have any other ideas that would be much appreciated.

Many Thanks. 

0 Kudos
6 Replies

Re: Scan events

I would suggest to start by studying sk103154: How to block traffic coming from known malicious IP addresse - you will find further references there. For R80.20, there even is a new feature: R80.20 - IP blacklist in SecureXL.

0 Kudos

Re: Scan events

Hello,

Thank you for the details provided.

What we are looking is not to have a block of traffic coming from known malicious IPs, but for some sort of dynamic configurations where we can setup thresholds and once there is an incident this traffic gets dropped.

I think smart event looks quite similar of what we are looking for:

0 Kudos

Re: Scan events

What you need is refered to there, i think of How to configure Rate Limiting rules for DoS Mitigation

0 Kudos
Employee
Employee

Re: Scan events

Re: Scan events

Thank you for your reply.

We don't want to change the IPS policy to detect as this will just work as IDS and not IPS. The idea is to setup a threshold, so if we see a 3 scan attempts from a source it would automatically block it.

0 Kudos
Alex_Weldon
Nickel

Re: Scan events

I would recommend taking a look at sk74520 -  SecureXL penalty box. Also, if you are interested in folding in some dynamic blocking in addition to this, take a look at https://opendbl.net - Lists are updated every 12 hours and provides another layer of protection.

0 Kudos