cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
IPS, Anti-Virus, Anti-Bot, Anti-Spam

Your place to discuss Check Point's Intrusion Prevention System, Anti-Bot, Antivirus, and Anti-Spam solutions.

Admin

Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

On 8th January 2020, @Oren_Koren gave us a preview of a SmartConsole Extension that will be launched at CPX 360 2020, making it simple to move from Detect to Prevent with Check Point! The following is available to CheckMates members who are logged in: Slides (will be provided after CPX 360 2020) Video Q&A will be posted as comments. The SmartConsole Extension mentioned: https://secureupdates.checkpoint.com/appi/tailoredsafe/extension.json

Failed to parse CP site response

In the last couple of weeks I have seen the following error alerting in flurries on multiple sites at the same time. All running R80.30 with HTTPS inspection and URL&App blade, AV, AB etc.Has anyone else seen this, anyone resolved it?It is filling the admin mailboxes and I’m concerned that a. Users are having problems or b. Most worryingly that potentially harmful sites are beibg accessed without protection because of ‘fail-open’.note from these two examples that the blade reporting the issue varies as does the website involved. Goo.gl creature highly in this on multiple sites but there are plenty of other examples.HeaderDateHour:  4Feb2020 10:49:56; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 36; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl/forms/gn0vx7tcxe; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_258746 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;and also:HeaderDateHour:  1Feb2020  9:43:46; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 37; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:cdn.videogram.com; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_206678 For more details; severity: 3; ProductName: URL Filtering; ProductFamily: Network; 

IPS Updates for Optimized Profile

I have started to use the Optimized Profile for my IPS, however I have noticed protections that should be enabled according to the Check Point IPS Update email, yet its actually inactive.Please see example.Advantech WebAccess SCADA Stack-based Buffer Overflow(CVE‑2019‑3975: CVE‑2019‑3951) should be set as activated but has not been.Anyone know why this would be case and how I could fix this?  
Pantsu
Pantsu inside IPS, Anti-Virus, Anti-Bot, Anti-Spam yesterday
views 193 5 1

mail alert from checkpoint

I want receive email notifications from checkpoint about critical alerts (anty virus, ips, anti-bot) , i find it in smartevent , but when i create new ' Automatic reaction' there are only "Outgoing mail server (SMTP)" Parameter, i think it is not enough  , where i can enter my email credentials (Username and password ) and POP Parameters, i think those  are necessary .

Oracle January 2020 CVEs (CVE-2020-2546)

We have a vendor that cannot patch a system for CVE-2020-2546, does anyone know if there will be a signature available soon?While looking for this, I see there is a lot of new Oracle exploits being patched, so I assume people are hard at work to create virtual patching.Ref; https://www.tenable.com/blog/oracle-january-2020-critical-patch-update-contains-255-cves

MTA define sending Interface

Hi,I configured the MTA on a CP 5800 Cluster running on R80.10. The customer want to evaluate the Sandblast Feature and therefore asked me to implement the feature. I followed the Admin Guide and everything seems to work. Design looks like this:Mail gateway (10.223.181.X) -> forwards Mails to MTA -> then forwards them to the Exchange DAG (10.223.181.X) But when we tested the connection (telnet 10.223.181.X 25) between the Firewall Cluster and his Exchange DAG - we received the following error: "421 4.3.2 Service not available"It seems that the current receive connector at the Exchange DAG did not accept connections from the Check Point MTA. But that didn’t made any sense to me since the Mail gateway, Check Point and the Exchange DAG are in the same subnet. So I thought the MTA would send out mails via the Gateway IP Address in that subnet. So we changed the receive connector policy to accept connections from any subnet. That worked and we could test send an mail from the MTA to the Exchange Server. Within the mail header information we found out that the IP Address that was used to send the mail was from a complete different subnet.My question: Is there a way to define which interface has to be used by the MTA for forwarding mails?   

r80.20 - Application Control - HTTP parsing error occurred (2)

hello I have URL filtering in checkpoint and when i try to enter in some web page it's writing this error in web browser:"Error: Error: The Web Socket transport is in an invalid state, transitioning into reconnecting". and in the smartconsol logs, there is these logs:see it in screenshots.   1) IPS detect , but accept 2) Alert and Block Traffic  

IPS Analyzer Results

I have read the other posts on the IPS Analyzer out there and realize that the protections listed as Threat Prevention protection # are coming from other blades.  Is there a way to identify what blades these are coming from in the raw files that you run IPS Analyzer on?  What is the best way to identify and remediate these? Thanks in advance!

IPS Signature CVE-2020-0601

Hi, Did you manage to trigger CVE-2020-0601 IPS protection?I tried using- Check Point R80.30- strict and optimised profile- with and without SSL Inspection- using vulnerable OS- Test page: http://testcve.kudelskisecurity.com/ Results:Without SSL inspection is unable to detect attack.With SSL inspection I have: Internal system error in HTTPS Inspection (Error Code: 2), Bypassing request as configured in engine settings of HTTPS Inspection Does somebody know what conndition have to be meet to trigger this IPS protection? Best RegardsMaciej    

Blocking IP using custom IOC feeds

Hello All,I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script. Please let me know, if there is any work-around for this issue.

The meaning of null in action field for SmartDefense

Hi.  now I need to design security rules in  SIEM for checkpoint SmartDefense(IPS)In order to do so,    i need to know why some SmartDefense log does not have type of action such as accept in it.based on action, i 'd like to catch events to create an alert in SIEM.  

R80.20 IPS Signature For OWASP

Dear Experts,I am looking for an IPS signature for OWASP. Can you please help me to find the IPS signature for OWASP.Regards,Rahul Borah 
bcwest
bcwest inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 2 weeks ago
views 216 4

fwaccel dos config - Persist through reboot?

Hey guys, I am working to enable Penalty Box on my perimeter gateways, and I'm having trouble finding information on how to make the fwaccel dos config commands persist through a reboot. I have followed sk112454 to modify $FWDIR/bin/fwaccel_dos_rate_install with the commands listed below, rebooted the gateway, and if I run a 'fwaccel dos config get', it still shows everything as disabled. #!/bin/bash $FWDIR/bin/fwaccel dos config set --enable-pbox$FWDIR/bin/fwaccel dos whitelist -B$FWDIR/bin/fwaccel dos pbox whitelist -B$FWDIR/bin/fwaccel dos config set --disable-internal$FWDIR/bin/fwaccel dos config set --enable-log-pbox$FWDIR/bin/fw samp get -l -k req_type -t in -v quota | $FWDIR/bin/fwaccel dos rate installif [[ -e $FWDIR/bin/fwaccel6 ]]; then  $FWDIR/bin/fwaccel6 dos whitelist -B  $FWDIR/bin/fwaccel6 dos pbox whitelist -B  $FWDIR/bin/fw samp get -l -k req_type -t in -v quota | $FWDIR/bin/fwaccel6 dos rate installfi Thanks!
Omer_Shliva
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 2 weeks ago
views 11079 18 26
Employee+

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.The IPS Analyzer Tool is supported on R77 and above.(2) ProcedureCollect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:Open Windows Command PromptRun:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"Review the output files:AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)analyzer.log - Log file*NOTE*The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:"Threat Prevention Protection – ID NUM"If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.(3) IPS Analyzer Tool SurveyWe would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. Click here to take the survey.For any question please contact:omersh@checkpoint.com

Block Port base attack in IPS

Dear Expert,  Need your help,We are going to conduct a cyber drill activity in my infra. So that I want to detect all the port base attack through IPS. Kindly advise me on the details of CVE for below mention ports attack.Ports are mention below.Port    Purpose-----------------------------20     FTP data transfer21     FTP control (command)22     SSH23     Telnet25, 26 SMTP53     DNS80     HTTP81     HTTP110   POP3143   IMAP443   HTTPS3389 RDP3306 MySQL989   FTPS data transfer990   FTPS control (command)8021 TCP/UDP1978 TCP/UDP