cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Large hits from Vulnerability Scanners

Guys, I am seeing large number of hits from outside and my IPS is able to detect it as a default policy. We have not configured any IPS policy as of now. 

Most of the hits are like from a scanners like OpenVAS, ZmEu Vulnerability Scanner, Automated SQL Injection tools like SQL Map, and they even tried XSS with custom script/payload.

What is the most effective way to block this kind of traffic??

Thanks in advance. 

10 Replies
Nüüül
Copper

Re: Large hits from Vulnerability Scanners

Hi,

so you are using the IPS Blade? with default policy set to detect?

Then you should set it to "prevent" which you are doing in the IPS profile.

More informations can be found here: (depending what Version you are using)

Tutorial: Configuring IPS Settings with R80 Security Management Server | Advanced Threat Prevention ... 

or older verions:

downloads.checkpoint.com/dc/download.htm?ID=24806

Be careful, just setting all to prevent might cause heavy load.

Daniel

Re: Large hits from Vulnerability Scanners

Hey Daniel,

Appreciate the quick response. I have kept my IPS Blade in Prevent mode for High Severity Events. 

What we see is that DNS servers do a lot of DNS query for C&C sites (which comes from clients) which is seen by Anti-Bot with confidence high and severity high or critical. However the action is Detect with Action Details bypass. When in Smart Event I select the event and select Go to thread rule it goes to our Threat Prevention active Policy. In this policy we have one profile where everything above low confidence should be prevented.

Even I see - "DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information".

Where I struggle to find the actual host behind our DNS. I even checked my DNS logs. 

0 Kudos

Re: Large hits from Vulnerability Scanners

Hi Sachin,

If you check sk74060, default dns trap IP is 62.0.58.94 so you need to filter the logs with destination as 62.0.58.94 and this should be prevented.

Re: Large hits from Vulnerability Scanners

Gurav, 

We have not yet configured the DNS bogus IP. If you have already configured and practically you know what happens when we create? please explain. I am trying to work on it. 

0 Kudos

Re: Large hits from Vulnerability Scanners

Hi Sachin,

62.0.58.94 is the default IP for DNS trap. Once you enable the DNS trap feature, it takes 62.0.58.94 as default DNS trap IP. You can enable DNS trap feature as below

in the Anti-Bot and Anti-Virus profile: 

  1. In SmartConsole, select Security Policies > Threat Prevention
  2. From the Threat Tools section, click Profiles.
  3. From the navigation tree, Activate DNS Trap.

More information is given in sk74060. However let me know if you have further query.

0 Kudos

Re: Large hits from Vulnerability Scanners

Hi Sachin

Update your IPS database to Latest version and then check IPS log and Change all suspicious  traffic that is in detect mode to prevent mode.you can follow IPS Admin guide Check Point IPS R77 Versions Administration Guide 

Re: Large hits from Vulnerability Scanners

This was pending since long time. We will do it as soon as possible. 

0 Kudos

Re: Large hits from Vulnerability Scanners

Hi Sachin,

Most effective way to block these type of thing is through IPS. You need to put gateway in Recommended profile. Put related signatures (There are already signatures for ZmEu Vulnerability Scanner, Automated SQL Injection tools like SQL Map) in prevent mode.

Re: Large hits from Vulnerability Scanners

Okay, I will have a look and do the necessary changes. 

0 Kudos

Re: Large hits from Vulnerability Scanners

Hi, 

Based on your description on both posts you have two different issues. The first one from the scanners that you can block from your IPS as described above.

For the second (large number of dns requests from your internal network to C&C) you can configure the DNS trap with Bogus IP. Additionally you should block DNS requests from your internal devices to the internet and you should define only specific Internal DNS servers.

Checkpoint is doing a great job on DNS and IP reputation and it's adding more to the Threat Prevention Blade.

 

The activation of DNS trap with the Bogus IP is just for you to locate the actual device that is attempting to connect to the C&C sites. To clarify let's looks at what is happening during a connection from your internal network.

a) A device from your network is attempting to access the xyz.com.

b) Since the IP address is unknown to the device and needs to resolve it, it requests a DNS resolution to it's DNS server. 

c) The Internal DNS server since it is unknown domain it forwards the request to it's DNs forwarder. 

d) CheckPoint through Threat Prevention detects this DNS request and classifies it as malicious.

e) Your Internal DNS request receives the Bogus IP from your Checkpoint as a reply instead of the real IP of the malicious domain. 

f) You Internal DNS server sends this DNS record with the Bogus IP to your internal device.

g) Your internal device attempts to use this IP to connect to the C&C site.

Based on the above, you block access from your client to a malicious site (C&C) and then you know which device is "Infected" and trying to access a malicious site before it event makes a connection.

With Smart Log you can search as destination the Bogus IP and locate the device that is trying to connect.

With Smart Event you will have full visibility of what is happening to your network.

Thanks,

Charris Lappas