This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ClonyShen
Participant
‎2021-05-23 05:59 AM

IPS log show prevent, but have no attack name

 

My Management is R80.30 take 226, and gateway is R80.10 take 272. 

today, the log show prevent by IPS. but do not have attact name or any reason.

There’s something wrong with Management , or something...?

Has anyone encountered it before?

001.png

 

002.png003.png

Preview file
46 KB
Preview file
326 KB
Preview file
635 KB
0 Kudos
5 Replies
the_rock
MVP Platinum
MVP Platinum
‎2021-05-23 11:31 AM

Can you please show us the whole log, because I have a feeling theres more info if you scroll all the way to the bottom...also, what does that rule look like thats referenced in the description?

Best,
Andy
0 Kudos
ClonyShen
Participant
‎2021-05-23 08:32 PM
In response to the_rock

As below

did not find any attack name or any reason.. 

004.png005.png

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-05-24 07:31 AM
In response to ClonyShen

Phoneboy is right, TAC case might be good idea here...plus. ODD thing I find is why this shows 2 internal IP addresses? 10.233.x.x and 10.234.x.x. Personally, to me at least, that is very strange.

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-23 08:57 PM

The funny thing about this log entry is that zero bytes were sent or received.
This might be worth a TAC case. 

Timothy_Hall
MVP Gold
MVP Gold
‎2021-05-24 09:54 AM

If this was an R80.20+ gateway, I'd surmise that the gateway updated itself with a new IPS signature but the management server didn't have that same IPS update, and therefore the SMS didn't know what to label the protection as in the log.  Might not hurt to manually update your IPS signatures on the SMS.

The zero bytes sent and received may just indicate that the three-way TCP handshake never completed, as I believe those byte counters only consider data/payload bytes that appear once the handshake is complete.  Is there MySQL actually listening on port 3306 at the destination IP shown in the log?

If I had to take a wild guess, I'd say it is probably the "MySQL General Settings" IPS signature since it has a "See Details..." configuration hyperlink similarly to the oddball "Core Protections" even though it is not explicitly labeled as such.  The Core Protections are definitely different to work with and I covered them extensively in my IPS Immersion video course.

On the outside chance this is some kind of log indexer issue, try to locate this log entry using the old-school SmartView Tracker application (CPlgv.exe).  Can you see the protection name there?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events