This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sachin_Nagabhus
Participant
‎2018-07-11 10:37 PM

Large hits from Vulnerability Scanners

Guys, I am seeing large number of hits from outside and my IPS is able to detect it as a default policy. We have not configured any IPS policy as of now. 

Most of the hits are like from a scanners like OpenVAS, ZmEu Vulnerability Scanner, Automated SQL Injection tools like SQL Map, and they even tried XSS with custom script/payload.

What is the most effective way to block this kind of traffic??

Thanks in advance. 

10 Replies
Nüüül
Advisor
Advisor
‎2018-07-12 01:09 AM

Hi,

so you are using the IPS Blade? with default policy set to detect?

Then you should set it to "prevent" which you are doing in the IPS profile.

More informations can be found here: (depending what Version you are using)

Tutorial: Configuring IPS Settings with R80 Security Management Server | Advanced Threat Prevention ... 

or older verions:

downloads.checkpoint.com/dc/download.htm?ID=24806

Be careful, just setting all to prevent might cause heavy load.

Daniel

Sachin_Nagabhus
Participant
‎2018-07-16 04:24 AM
In response to Nüüül

Hey Daniel,

Appreciate the quick response. I have kept my IPS Blade in Prevent mode for High Severity Events. 

What we see is that DNS servers do a lot of DNS query for C&C sites (which comes from clients) which is seen by Anti-Bot with confidence high and severity high or critical. However the action is Detect with Action Details bypass. When in Smart Event I select the event and select Go to thread rule it goes to our Threat Prevention active Policy. In this policy we have one profile where everything above low confidence should be prevented.

Even I see - "DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information".

Where I struggle to find the actual host behind our DNS. I even checked my DNS logs. 

0 Kudos
Gaurav_Pandya
Advisor
‎2018-07-16 09:21 AM
In response to Sachin_Nagabhus

Hi Sachin,

If you check sk74060, default dns trap IP is 62.0.58.94 so you need to filter the logs with destination as 62.0.58.94 and this should be prevented.

Sachin_Nagabhus
Participant
‎2018-07-31 02:52 AM
In response to Gaurav_Pandya

Gurav, 

We have not yet configured the DNS bogus IP. If you have already configured and practically you know what happens when we create? please explain. I am trying to work on it. 

0 Kudos
Gaurav_Pandya
Advisor
‎2018-07-31 08:45 AM
In response to Sachin_Nagabhus

Hi Sachin,

62.0.58.94 is the default IP for DNS trap. Once you enable the DNS trap feature, it takes 62.0.58.94 as default DNS trap IP. You can enable DNS trap feature as below

in the Anti-Bot and Anti-Virus profile: 

  1. In SmartConsole, select Security Policies > Threat Prevention
  2. From the Threat Tools section, click Profiles.
  3. From the navigation tree, Activate DNS Trap.

More information is given in sk74060. However let me know if you have further query.

0 Kudos
Ramawatar_Maury
Participant
‎2018-07-12 05:11 AM

Hi Sachin

Update your IPS database to Latest version and then check IPS log and Change all suspicious  traffic that is in detect mode to prevent mode.you can follow IPS Admin guide Check Point IPS R77 Versions Administration Guide 

Sachin_Nagabhus
Participant
‎2018-07-16 04:26 AM
In response to Ramawatar_Maury

This was pending since long time. We will do it as soon as possible. 

0 Kudos
Gaurav_Pandya
Advisor
‎2018-07-12 10:04 AM

Hi Sachin,

Most effective way to block these type of thing is through IPS. You need to put gateway in Recommended profile. Put related signatures (There are already signatures for ZmEu Vulnerability Scanner, Automated SQL Injection tools like SQL Map) in prevent mode.

Sachin_Nagabhus
Participant
‎2018-07-16 04:25 AM
In response to Gaurav_Pandya

Okay, I will have a look and do the necessary changes. 

0 Kudos
Charris_Lappas
Collaborator
‎2018-07-31 12:11 PM

Hi, 

Based on your description on both posts you have two different issues. The first one from the scanners that you can block from your IPS as described above.

For the second (large number of dns requests from your internal network to C&C) you can configure the DNS trap with Bogus IP. Additionally you should block DNS requests from your internal devices to the internet and you should define only specific Internal DNS servers.

Checkpoint is doing a great job on DNS and IP reputation and it's adding more to the Threat Prevention Blade.

 

The activation of DNS trap with the Bogus IP is just for you to locate the actual device that is attempting to connect to the C&C sites. To clarify let's looks at what is happening during a connection from your internal network.

a) A device from your network is attempting to access the xyz.com.

b) Since the IP address is unknown to the device and needs to resolve it, it requests a DNS resolution to it's DNS server. 

c) The Internal DNS server since it is unknown domain it forwards the request to it's DNs forwarder. 

d) CheckPoint through Threat Prevention detects this DNS request and classifies it as malicious.

e) Your Internal DNS request receives the Bogus IP from your Checkpoint as a reply instead of the real IP of the malicious domain. 

f) You Internal DNS server sends this DNS record with the Bogus IP to your internal device.

g) Your internal device attempts to use this IP to connect to the C&C site.

Based on the above, you block access from your client to a malicious site (C&C) and then you know which device is "Infected" and trying to access a malicious site before it event makes a connection.

With Smart Log you can search as destination the Bogus IP and locate the device that is trying to connect.

With Smart Event you will have full visibility of what is happening to your network.

Thanks,

Charris Lappas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events