- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
IPS got triggered a dozen times for this protection and i think to know what's behind it, although i'm not sure how to resolve this.
I might believe this is due to a host(s) that starts multiple sessions to copy/write on the SAN, which has many different nodes that is written to, concurrently.
The screenshot shows the different nodes being written to. I left the last octet of the noes visible for you to see.
I could make an IPS exception for the that specific source, which than ignores this IPS signature but i'm afraid i would miss the moment a potential real brute force scan is being executed.
How to resolve this issue in the best way possible?
The Confidence of that signature is Low, which should tell you all you need to know. My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session. This probably appears as a set of rapid-fire connections that look similar to a port scan.
There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.
The Confidence of that signature is Low, which should tell you all you need to know. My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session. This probably appears as a set of rapid-fire connections that look similar to a port scan.
There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.
Thanks for your insights.
As a result, i created a very specific exception for this, which resolved the false positive.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY