This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
Advisor
‎2020-02-27 08:02 AM
Jump to solution

smart event alerting of IPS prevent

I've been asked to set up an alert on traffic (even a single incident) that is prevented from an internal IP -> DMZ.  This seems easy, but is not possible with Smart Event.  It's rare that this traffic would be correlated, the PREVENT just shows up as a single log - type NOT correlated.  THUS, the alert doesn't fire.  Does anyone know if there is a way?  

Creating Event Definitions (User Defined Events) - page 56 of the R77 smart event guide (I'm on R80.30, but this has the best documentation on user defined events.  To create a user-defined event you must have knowledge of the method by which SmartEvent identifies events. This section starts with a high level overview of how logs are analyzed to conclude if an event occurs or occurred.

When you create a user defined event, there is a COUNT LOGS tab and inside a radio button 'single log', this NEEDs to be updated to say single correlated log for accuracy.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-03-02 07:34 AM
In response to Daniel_Kavan
Jump to solution

Right click on the rule headings and you can add source and destination columns.

62FE9C5A-F49D-4399-9300-2596A397E79A.jpeg

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
‎2020-02-29 06:34 PM
Jump to solution

You're correct in that SmartEvent only works on correlated logs.
However, what you're asking can be done outside of SmartEvent.

You can create an explicit rule for this server in your Threat Prevention policy and set the Track option to Mail and/or one of the User Alert options.
This will generate an email or run whatever script you specify on each log entry that is generated.
To configure Mail and/or User Alert options, refer to sk25941.

Screen Shot 2020-02-29 at 6.28.58 PM.png

_Val_
Admin
Admin
‎2020-03-01 10:08 AM
Jump to solution

There is a better solution for your case. Create a custom rule for Threat Prevention policy layer, put there IPs and zones you need as source and destination. Set tracking for custom alert, et voila…

Daniel_Kavan
Advisor
‎2020-03-02 07:27 AM
Jump to solution

Thanks for these responses!

However, the 'protected scope' doesn't seem to be specific enough. 

I have a very specific case - I want alert on if it's from this IP address, x.x.x.1 AND to this destination network y.y.y.0/24.

The protected scope is more of an 'either OR' not an 'AND'.   IOW protected scope is if it's in/out to x.x.x.1 OR in/out to y.y.y.0/24.

Maybe, the best we can do is a twice daily report on TP associated with  x.x.x.1.

 

 

 

 

PhoneBoy
Admin
Admin
‎2020-03-02 07:34 AM
In response to Daniel_Kavan
Jump to solution

Right click on the rule headings and you can add source and destination columns.

62FE9C5A-F49D-4399-9300-2596A397E79A.jpeg

Daniel_Kavan
Advisor
‎2020-03-02 08:21 AM
In response to PhoneBoy
Jump to solution

Thanks!

This will work, it looks like the limitation is you are limited to 3 custom alerts.  Alert no. 1, 2, & 3.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-02 08:23 AM
In response to Daniel_Kavan
Jump to solution

One called script can potentially do multiple things based on the input it receives.
0 Kudos
Daniel_Kavan
Advisor
‎2020-03-02 10:32 AM
In response to PhoneBoy
Jump to solution

Is there a list somewhere that shows the stream sent when you call an alert?  What input does it receive?  I can write a script to use the data the script receives when an alert is generated, but what does that input/stream list look like?

I know with an email alert, a nice attachment that looks like the full record of the Prevent or Drop is sent.

However, with a script what is sent to the alert/script as input.   Yes, once you have that list, I can see how you can use it in a script to parse it and do different things.

 

Origin: $Origin

Blade: $Blade

Action: $Action

Attack Name: $Attack_Name

Attack Information: $Attack_Info

Source: $Source

Destination: $Destination

Severity: $Severity

 

PhoneBoy
Admin
Admin
‎2020-03-03 01:09 PM
In response to Daniel_Kavan
Jump to solution

If you were to look at the log entry as it's shown with either fw log or CPLogFilePrint, it would look something like that.
What is sent depends on what information is in the log.
0 Kudos
Daniel_Kavan
Advisor
‎2020-03-06 06:52 AM
In response to PhoneBoy
Jump to solution

TAC found more here:   https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGu...

This show how to pull the EVENT into the script. 

0 Kudos
Daniel_Kavan
Advisor
‎2020-09-16 09:57 AM
In response to PhoneBoy
Jump to solution

Hi,

What scripting language/s can be used?  LLast time I tried python on Gaia & tried to wanted to add new modules/libraries, CP said I would invalidate the support if I added new libraries.  I think we talked about running a shell script that would call a python script on another server, but that would also involve passing the stream down to a different server.

Basically If attack_info = Zmap scan -> /dev/null, I want zmap secruity scans to be prevented but I don't want a case to fire off because of it.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-16 06:27 PM
In response to Daniel_Kavan
Jump to solution

A bash script is where I would start as that doesn't require installing any other interpreters.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events