This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
Mentor
Mentor
‎2020-09-08 09:46 PM

Obfuscated mail alerts

So, how am I supposed to read such obfuscated mail alerts?

 HeaderDateHour:  9Sep2020  7:23:49; ContentVersion: 5; hll_key: 8473581293994328681; Uuid: {0x5f5858d5,0x0,0x98c0a8c0,0x2288}; SequenceNum: 3; Action: redirect; Origin: FW-EXT; IfDir: <; InterfaceName: eth1.352; Alert: mail; OriginSicName: CN=FW-EXT,O=CPSMS..kg4oq9; duration: 0:00:00; last_hit_time:  9Sep2020  7:23:49; update_count: 1; creation_time:  9Sep2020  7:23:49; connection_count: 1; aggregated_log_count: 1; file_count: 1; src: ******; dst: 205.185.216.42; proto: tcp; protocol: HTTP; sig_id: 0; service_id: http; UP_match_table: TABLE_START; ROW_START: 0; match_id: 16; layer_uuid: 9423cebf-45b3-4e4c-b1bb-2e7b7b3dc585; layer_name: EXTERNAL Network; rule_uid: 207e0d97-511c-4d74-865f-f1e736142245; rule_name: ******; ROW_END: 0; ROW_START: 1; match_id: 67108874; layer_uuid: d3d0f35b-398c-43cd-97b3-bf3cf9ab0e17; layer_name: WEB Control Layer; rule_uid: 22e7177c-c98e-4122-80ec-efb94f07ee36; rule_name: ******; ROW_END: 1; UP_match_table: TABLE_END

 ; UP_action_table: TABL

_START; ROW_START: 0; action: 8; ROW_END: 0; ROW_START: 1; action: 50; ROW_END: 1; UP_action_table: TABLE_END; UP_parent_id_table: TABLE_START; ROW_START: 0; parent_rule: 0; ROW_END: 0; ROW_START: 1; parent_rule: 16; ROW_END: 1; UP_parent_id_table: TABLE_END; aggregated_data_type_table: TABLE_START; ROW_START: 0; data_type_name: Executable File; ROW_END: 0; aggregated_data_type_table: TABLE_END; aggregated_file_table: TABLE_START; ROW_START: 0; file_name: windows-kb890830-x64-v5.83_fede0eab17a3acf1aa945b14f37324ae6a8f6fc6.exe; file_type: Executable; ROW_END: 0; aggregated_file_table: TABLE_END; UP_alert_hll_table: TABLE_START; ROW_START: 0; alert: mail; ROW_END: 0; UP_alert_hll_table: TABLE_END; src_user_name: ******; src_machine_name: ******; user: ******; ProductName: Content Awareness; svc: http; ProductFamily: Network;

Those ****** are me replacing some private data.

0 Kudos
10 Replies
_Val_
Admin
Admin
‎2020-09-09 02:28 AM

Could you elaborate maybe? Scenario, tools in use, goals in hands?

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-09-09 02:38 AM
In response to _Val_

This is a mail alert for a rule. I tried it for different types of rules and it is always coming like that. Not easy to read and understand. If not a well formatted HTML message, I expect at least CRLF after each ";" and possibly stripped out unnecessary text such as TABLE_START, TABLE_END, etc. In the perfect case it shall be possible for the admin to modify standard template to his/her own needs. This is probably good format for log record but not for mail alert. 

I am actually surprised to be the only one here bothered by this 😀

0 Kudos
ED
Advisor
‎2020-09-09 04:09 AM
In response to HristoGrigorov

Hi Hristo,

You are not the only one 🙂  It would be great if it could be better formatted in order to read it easily or a template that we can modify as you suggest. Doesn't look much better for a policy install: 

HeaderDateHour:  8Sep2020 14:01:03; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 1; Action:  ; Origin: ****; IfDir: <; IfName: N/A; Alert: mail; OriginSicName: N/A; System Alert message: A Firewall Policy has been s uccessfully installed on *****; Object: *****; Event: Change; Parameter: policy_time; Condition: changes Tue Sep  8 10:51:44 2020; Current value: Tue Sep  8 14:00:17 2020; ProductName: System Monitor; ProductFamily: Network;

_Val_
Admin
Admin
‎2020-09-10 12:40 AM
In response to ED

I understand this is a copy/paste from the email alert you get. Can you please also post a screenshot of how that email actually looks?

0 Kudos
ED
Advisor
‎2020-09-10 12:54 AM
In response to _Val_

 

The email looks like this

image.png

Notice that if I had used the whole width of my screen it would be strected in to two lines. 

0 Kudos
Danny
Champion Champion
Champion
‎2020-09-10 01:04 AM
In response to _Val_

Hi @_Val_ ,

an email screenshot can be found in this thread.

We have discussed this formatting issue here many times before:

IPS mail alerts and SmartEvent mail alerts are readable out-of-the-box while standard mail alerts as triggered from within the rulebase are not thus forcing end users to fall back to create their own script and set this as custom alert.

_Val_
Admin
Admin
‎2020-09-10 01:15 AM
In response to Danny

Thanks, @Danny it is clear. I have asked the relevant team to look into this. Please allow them some time to respond.

0 Kudos
_Val_
Admin
Admin
‎2020-09-10 12:47 AM
In response to ED

Also, @HristoGrigorov & @ED, could you please explain the whole story from the beginning? Please take a specific mail alert, show how it is configured and what are the results. This way it will be easier to pass it to developers to address.

 

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-09-10 12:52 AM
In response to _Val_

Sure, but I need e-mail address to avoid confidential info disclosure here.

0 Kudos
_Val_
Admin
Admin
‎2020-09-10 01:14 AM
In response to HristoGrigorov

vloukine@checkpoint.com

But I think I have enough info from Danny's respond above already.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top