This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave
Participant
‎2021-10-25 06:50 AM

Detected brute force scanning of cifs ports

Jump to solution

IPS got triggered a dozen times for this protection and i think to know what's behind it, although i'm not sure how to resolve this.

I might believe this is due to a host(s) that starts multiple sessions to copy/write on the SAN, which has many different nodes that is written to, concurrently.

The screenshot shows the different nodes being written to. I left the last octet of the noes visible for you to see.

I could make an IPS exception for the that specific source, which than ignores this IPS signature but i'm afraid i would miss the moment a potential real brute force scan is being executed.

How to resolve this issue in the best way possible?

 

Preview file
73 KB
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion
‎2021-10-25 02:36 PM

Jump to solution

The Confidence of that signature is Low, which should tell you all you need to know.  My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session.  This probably appears as a set of rapid-fire connections that look similar to a port scan.

There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

2 Replies
Timothy_Hall
Champion
Champion
‎2021-10-25 02:36 PM

Jump to solution

The Confidence of that signature is Low, which should tell you all you need to know.  My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session.  This probably appears as a set of rapid-fire connections that look similar to a port scan.

There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Dave
Participant
‎2021-11-08 12:42 AM
In response to Timothy_Hall

Jump to solution

Thanks for your insights.

As a result, i created a very specific exception for this, which resolved the false positive.

0 Kudos