Solved: Re: smart event alerting of IPS prevent

Daniel_Kavan · ‎2020-02-27

I've been asked to set up an alert on traffic (even a single incident) that is prevented from an internal IP -> DMZ. This seems easy, but is not possible with Smart Event. It's rare that this traffic would be correlated, the PREVENT just shows up as a single log - type NOT correlated. THUS, the alert doesn't fire. Does anyone know if there is a way?

Creating Event Definitions (User Defined Events) - page 56 of the R77 smart event guide (I'm on R80.30, but this has the best documentation on user defined events. To create a user-defined event you must have knowledge of the method by which SmartEvent identifies events. This section starts with a high level overview of how logs are analyzed to conclude if an event occurs or occurred.

When you create a user defined event, there is a COUNT LOGS tab and inside a radio button 'single log', this NEEDs to be updated to say single correlated log for accuracy.

PhoneBoy · ‎2020-03-02

Right click on the rule headings and you can add source and destination columns.

View solution in original post

PhoneBoy · ‎2020-02-29

You're correct in that SmartEvent only works on correlated logs.
However, what you're asking can be done outside of SmartEvent.

You can create an explicit rule for this server in your Threat Prevention policy and set the Track option to Mail and/or one of the User Alert options.
This will generate an email or run whatever script you specify on each log entry that is generated.
To configure Mail and/or User Alert options, refer to sk25941.

_Val_ · ‎2020-03-01

There is a better solution for your case. Create a custom rule for Threat Prevention policy layer, put there IPs and zones you need as source and destination. Set tracking for custom alert, et voila…

Daniel_Kavan · ‎2020-03-02

Thanks for these responses!

However, the 'protected scope' doesn't seem to be specific enough.

I have a very specific case - I want alert on if it's from this IP address, x.x.x.1 AND to this destination network y.y.y.0/24.

The protected scope is more of an 'either OR' not an 'AND'. IOW protected scope is if it's in/out to x.x.x.1 OR in/out to y.y.y.0/24.

Maybe, the best we can do is a twice daily report on TP associated with x.x.x.1.

PhoneBoy · ‎2020-03-02

Right click on the rule headings and you can add source and destination columns.

Daniel_Kavan · ‎2020-03-02

Thanks!

This will work, it looks like the limitation is you are limited to 3 custom alerts. Alert no. 1, 2, & 3.

PhoneBoy · ‎2020-03-02

One called script can potentially do multiple things based on the input it receives.

Daniel_Kavan · ‎2020-03-02

Is there a list somewhere that shows the stream sent when you call an alert? What input does it receive? I can write a script to use the data the script receives when an alert is generated, but what does that input/stream list look like?

I know with an email alert, a nice attachment that looks like the full record of the Prevent or Drop is sent.

However, with a script what is sent to the alert/script as input. Yes, once you have that list, I can see how you can use it in a script to parse it and do different things.

Origin: $Origin

Blade: $Blade

Action: $Action

Attack Name: $Attack_Name

Attack Information: $Attack_Info

Source: $Source

Destination: $Destination

Severity: $Severity

PhoneBoy · ‎2020-03-03

If you were to look at the log entry as it's shown with either fw log or CPLogFilePrint, it would look something like that.
What is sent depends on what information is in the log.

Daniel_Kavan · ‎2020-03-06

TAC found more here: https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGu...

This show how to pull the EVENT into the script.

Daniel_Kavan · ‎2020-09-16

Hi,

What scripting language/s can be used? LLast time I tried python on Gaia & tried to wanted to add new modules/libraries, CP said I would invalidate the support if I added new libraries. I think we talked about running a shell script that would call a python script on another server, but that would also involve passing the stream down to a different server.

Basically If attack_info = Zmap scan -> /dev/null, I want zmap secruity scans to be prevented but I don't want a case to fire off because of it.

PhoneBoy · ‎2020-09-16

A bash script is where I would start as that doesn't require installing any other interpreters.

Are you a member of CheckMates?

smart event alerting of IPS prevent