This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave
Contributor
‎2021-10-25 06:50 AM
Jump to solution

Detected brute force scanning of cifs ports

IPS got triggered a dozen times for this protection and i think to know what's behind it, although i'm not sure how to resolve this.

I might believe this is due to a host(s) that starts multiple sessions to copy/write on the SAN, which has many different nodes that is written to, concurrently.

The screenshot shows the different nodes being written to. I left the last octet of the noes visible for you to see.

I could make an IPS exception for the that specific source, which than ignores this IPS signature but i'm afraid i would miss the moment a potential real brute force scan is being executed.

How to resolve this issue in the best way possible?

 

Preview file
73 KB
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion
‎2021-10-25 02:36 PM
Jump to solution

The Confidence of that signature is Low, which should tell you all you need to know.  My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session.  This probably appears as a set of rapid-fire connections that look similar to a port scan.

There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com

View solution in original post

2 Replies
Timothy_Hall
Champion
Champion
‎2021-10-25 02:36 PM
Jump to solution

The Confidence of that signature is Low, which should tell you all you need to know.  My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session.  This probably appears as a set of rapid-fire connections that look similar to a port scan.

There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
Dave
Contributor
‎2021-11-08 12:42 AM
In response to Timothy_Hall
Jump to solution

Thanks for your insights.

As a result, i created a very specific exception for this, which resolved the false positive.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events