This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Keld_Norman
Contributor
‎2020-01-06 06:39 AM

Searching logs returns no results when using *

Up front: 

I read that "The Description field is not currently indexed" - that might be the answer to my question - but I still do not have a working workaround..

My question: 

I know I have hits on my 80.30 firewall ( Appliance model 5200 running R80.30 take 200 Last updated on: Mon Jan 6 14:01 2020) from the europol DNS scanner from "*.shadowserver.org" but when I search for it by name and as source (with the src:* before the domain name) I get 0 hits.

Img1Img1

 To see if the (.) dot was needed I added it after the star so it said "src:*." and searched again but still no hits..

Img5Img5 

If I alter the search to not include the star (*) and dot (.) and just search for the domaine i get 2 hits.. (indicating that it had never been the source but have been the destination at some time) <-- that is also correct but i am missing all the log lines where it was the source...

Img2Img2

 

Finally - If I instead search for the IP address that the server had at the given point in time it was logged I get MANY hits and can see in the description and source column that the name "shadowserver.org" is logged with the FQDN of scan-09h.shadowserver.org - that is odd (why was it then not found in the prior 2 searches i made ?) 

Img3Img3

 Searching for the full name (not using *.) does give me the hits - but I would really like to get the info of all the hosts with the domaine .shadowserver.org that have hit my firewall 

Img4Img4

 

Now.. 

Can any one here tell me if I need to use another search terminology/syntax or if the 80.30 search function in logs is broken ? 

Best regards 

Keld Norman 

kno@dubex.dk

 

 

 

0 Kudos
4 Replies
Maarten_Sjouw
Champion
Champion
‎2020-01-06 06:41 AM

Have you tried shadowserver.org without anything in front?
Regards, Maarten
0 Kudos
Keld_Norman
Contributor
‎2020-01-06 06:48 AM
In response to Maarten_Sjouw

yes - see img2 (the order of the images i posted are messed up) - but.. i did - two hits but no hits where the shadowserver.org was the source.. 😕 
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-01-06 06:55 AM
In response to Keld_Norman

Sorry did not see that one. Problem with the search is that it can be anything from the start, but not from a dot or any other demarcation point in the name or IP.
You can search for scan-09 and most certainly it will find your server.
Regards, Maarten
0 Kudos
Keld_Norman
Contributor
‎2020-01-06 06:58 AM
In response to Maarten_Sjouw

Got it - Unfortunately I need the facts the other way around so I can see all the hosts that have been scanning my IP from the domain (*.shadowserver.org) but thanks for the explanation anyway. 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events