Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ClonyShen
Participant

IPS log show prevent, but have no attack name

 

My Management is R80.30 take 226, and gateway is R80.10 take 272. 

today, the log show prevent by IPS. but do not have attact name or any reason.

There’s something wrong with Management , or something...?

Has anyone encountered it before?

001.png

 

002.png003.png

0 Kudos
5 Replies
the_rock
Legend
Legend

Can you please show us the whole log, because I have a feeling theres more info if you scroll all the way to the bottom...also, what does that rule look like thats referenced in the description?

0 Kudos
ClonyShen
Participant

As below

did not find any attack name or any reason.. 

004.png005.png

0 Kudos
the_rock
Legend
Legend

Phoneboy is right, TAC case might be good idea here...plus. ODD thing I find is why this shows 2 internal IP addresses? 10.233.x.x and 10.234.x.x. Personally, to me at least, that is very strange.

0 Kudos
PhoneBoy
Admin
Admin

The funny thing about this log entry is that zero bytes were sent or received.
This might be worth a TAC case. 

Timothy_Hall
Legend Legend
Legend

If this was an R80.20+ gateway, I'd surmise that the gateway updated itself with a new IPS signature but the management server didn't have that same IPS update, and therefore the SMS didn't know what to label the protection as in the log.  Might not hurt to manually update your IPS signatures on the SMS.

The zero bytes sent and received may just indicate that the three-way TCP handshake never completed, as I believe those byte counters only consider data/payload bytes that appear once the handshake is complete.  Is there MySQL actually listening on port 3306 at the destination IP shown in the log?

If I had to take a wild guess, I'd say it is probably the "MySQL General Settings" IPS signature since it has a "See Details..." configuration hyperlink similarly to the oddball "Core Protections" even though it is not explicitly labeled as such.  The Core Protections are definitely different to work with and I covered them extensively in my IPS Immersion video course.

On the outside chance this is some kind of log indexer issue, try to locate this log entry using the old-school SmartView Tracker application (CPlgv.exe).  Can you see the protection name there?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events