Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor
Jump to solution

smart event alerting of IPS prevent

I've been asked to set up an alert on traffic (even a single incident) that is prevented from an internal IP -> DMZ.  This seems easy, but is not possible with Smart Event.  It's rare that this traffic would be correlated, the PREVENT just shows up as a single log - type NOT correlated.  THUS, the alert doesn't fire.  Does anyone know if there is a way?  

Creating Event Definitions (User Defined Events) - page 56 of the R77 smart event guide (I'm on R80.30, but this has the best documentation on user defined events.  To create a user-defined event you must have knowledge of the method by which SmartEvent identifies events. This section starts with a high level overview of how logs are analyzed to conclude if an event occurs or occurred.

When you create a user defined event, there is a COUNT LOGS tab and inside a radio button 'single log', this NEEDs to be updated to say single correlated log for accuracy.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Right click on the rule headings and you can add source and destination columns.

62FE9C5A-F49D-4399-9300-2596A397E79A.jpeg

View solution in original post

11 Replies
PhoneBoy
Admin
Admin

You're correct in that SmartEvent only works on correlated logs.
However, what you're asking can be done outside of SmartEvent.

You can create an explicit rule for this server in your Threat Prevention policy and set the Track option to Mail and/or one of the User Alert options.
This will generate an email or run whatever script you specify on each log entry that is generated.
To configure Mail and/or User Alert options, refer to sk25941.

Screen Shot 2020-02-29 at 6.28.58 PM.png

_Val_
Admin
Admin

There is a better solution for your case. Create a custom rule for Threat Prevention policy layer, put there IPs and zones you need as source and destination. Set tracking for custom alert, et voila…

Daniel_Kavan
Advisor

Thanks for these responses!

However, the 'protected scope' doesn't seem to be specific enough. 

I have a very specific case - I want alert on if it's from this IP address, x.x.x.1 AND to this destination network y.y.y.0/24.

The protected scope is more of an 'either OR' not an 'AND'.   IOW protected scope is if it's in/out to x.x.x.1 OR in/out to y.y.y.0/24.

Maybe, the best we can do is a twice daily report on TP associated with  x.x.x.1.

 

 

 

 

PhoneBoy
Admin
Admin

Right click on the rule headings and you can add source and destination columns.

62FE9C5A-F49D-4399-9300-2596A397E79A.jpeg

Daniel_Kavan
Advisor

Thanks!

This will work, it looks like the limitation is you are limited to 3 custom alerts.  Alert no. 1, 2, & 3.

0 Kudos
PhoneBoy
Admin
Admin
One called script can potentially do multiple things based on the input it receives.
0 Kudos
Daniel_Kavan
Advisor

Is there a list somewhere that shows the stream sent when you call an alert?  What input does it receive?  I can write a script to use the data the script receives when an alert is generated, but what does that input/stream list look like?

I know with an email alert, a nice attachment that looks like the full record of the Prevent or Drop is sent.

However, with a script what is sent to the alert/script as input.   Yes, once you have that list, I can see how you can use it in a script to parse it and do different things.

 

Origin: $Origin

Blade: $Blade

Action: $Action

Attack Name: $Attack_Name

Attack Information: $Attack_Info

Source: $Source

Destination: $Destination

Severity: $Severity

 

PhoneBoy
Admin
Admin
If you were to look at the log entry as it's shown with either fw log or CPLogFilePrint, it would look something like that.
What is sent depends on what information is in the log.
0 Kudos
Daniel_Kavan
Advisor

TAC found more here:   https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGu...

This show how to pull the EVENT into the script. 

0 Kudos
Daniel_Kavan
Advisor

Hi,

What scripting language/s can be used?  LLast time I tried python on Gaia & tried to wanted to add new modules/libraries, CP said I would invalidate the support if I added new libraries.  I think we talked about running a shell script that would call a python script on another server, but that would also involve passing the stream down to a different server.

Basically If attack_info = Zmap scan -> /dev/null, I want zmap secruity scans to be prevented but I don't want a case to fire off because of it.

0 Kudos
PhoneBoy
Admin
Admin

A bash script is where I would start as that doesn't require installing any other interpreters.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events