This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gilyazovamir
Explorer
2 weeks ago

uuid instead of ip in the mail alert

Hello, everyone.

A client has asked with a problem:
When receiving a Zmap scan email notification, the email displays uuid instead of source ip. In SmartConsole logs, the ip address is displayed correctly. For other alerts, full information including ip is also displayed. The mail notification is configured via internal_sendmail.
I would like to clarify why this is happening and is it possible to change this?

I am also unable to reproduce this problem in the test lab. When scanning with Zmap, IPS detects Port Scan (Host Port Scan or Sweep Scan depending on scan settings) and does not catch Zmap. What could this be related to?

Preview file
52 KB
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
2 weeks ago

It's possible the UUID actually corresponds to an object with the same ID.
You can check that with mgmt_cli -r true show host uid xxxx
Unfortunately, I don't believe this is something you can change...confirm with TAC.

Also, this statement seems contradictory: When scanning with Zmap, IPS detects Port Scan (Host Port Scan or Sweep Scan depending on scan settings) and does not catch Zmap.
Can you elaborate, perhaps with a more precise example?

0 Kudos
gilyazovamir
Explorer
a week ago
In response to PhoneBoy

Thank you for your reply,

Yes, there is indeed such an object. So that's why the uid comes in the alert?

Regarding the reproduction of the zmap problem. On test lab I'm scanning internal and external gateway networks from linux server with zmap. In IPS logs, Port Scan is detected but CPAI-2016-0215 (ZMap Security Scanner) is not detected. I want to understand what is needed for the gateway to detect this attack as a Zmap attack and not just a Port Scan.

Preview file
56 KB
Preview file
142 KB
0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to gilyazovamir

That would be the logical explanation for this behavior, yes.

As for the question on detecting as Zmap, we don't release details on how our IPS signatures work.
Having said that, if you don't think it's being detected properly, that will need to be addressed through TAC.

0 Kudos
gilyazovamir
Explorer
a week ago
In response to PhoneBoy

So the only solution is to delete the object? Or is there some other option?

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to gilyazovamir

As I said initially, you should check with TAC.
It's not behavior I've seen before and it might actually be a bug.
I suspect deleting the object will resolve the issue in the meantime.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events