This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RuneSeeker
Participant
2 weeks ago

Detected Sweep Scan originating from source: internal server - destination: empty

Hi everyone,

We are currently running R81.20 Hotfix Take 105. 

The IPS protection flagged a Sweep Scan originating from an internal server, with the destination showing as "null" and the service listed as HTTP_proxy (TCP/8080).

After 9 seconds, the system automatically applied a SAM rule to drop the connection. This action inadvertently disrupted legitimate communication with another internal server.

Once we identified the cause, we removed the affected server from the SAM rule, and since then the issue has not reappeared.

Could you help us understand what might be triggering this behavior?

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
2 weeks ago

We'd likely need to set up debug and reproduce the issue to understand the root cause of it.
This will require TAC assistance.

However, adding an exception is probably the best way to ensure this issue doesn't happen again.

0 Kudos
RuneSeeker
Participant
2 weeks ago
In response to PhoneBoy

Thank you for the reply,

Exceptions are configured in place long time ago. This issue was once-off, unexpected incident. 
It's not clear how to reproduce this incident since we don't have any possible destination or what tool or process initiated that.

Do you have any suggestions?

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to RuneSeeker

I don't believe enough information is logged to understand what happened in this case.
Thus, we'd likely need to reproduce it in order to properly debug it.

RuneSeeker
Participant
a week ago
In response to PhoneBoy

Thanks for the assistance. We will update as more information becomes available.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events