Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RamGuy239
Advisor
Advisor

IPS: How do I determine if something is a "false positive" or not?

Greetings,

I would love to know how people are tuning their IPS policy regarding "false positives." Creating narrow exceptions isn't all that difficult, but how do you determine if you are creating expectations for something that IPS should drop?

In my experience, most firewall administrators will activate their intended level of Threat Prevention Protection, going straight into Prevent Mode, a mix of Prevent and Decect, or Detect only for a while and use the logs to create exceptions.

But every time I look at the list of Global Exceptions, most firewall administrators have trouble explaining their exceptions. It seems that most take the path of least resistance approach. They toss everything that breaks into an exception and call it a day.

This makes sense from a usability point of view, but it's not ideal from a security point of view.


But what tools do we have to determine if something is a "false positive" or not?

 

Many customers claim that Palo Alto has far fewer "false positives" than Check Point. To test this, I created a Palo Alto PanOS 11.1.2 LAB at home and routed my network through a PanOS VM-series firewall. I usually have it running through a virtual Check Point Gateway. Surprisingly, even running PanOS with IPS in "Strict" didn't cause any issues.

My profile on Check Point Is based on "Optimised", where I have tuned it somewhat by changing it from Medium or Lower on Performance Impact to High or Lower, and instead of having Low Confidence to Inactive instead of Detect.

This was causing some immediate issues, such as Xbox Software updates not working:

Attack Name: Content Protection Violation
Attack Information: Microsoft Media Player BMP file handling buffer overflow (MS06-005)
Protection Name: Microsoft Media Player BMP File Handling Buffer Overflow (MS06-005)
Protection ID: asm_dynamic_prop_wmp
Severity: High
Confidence Level: High
Industry Reference: CVE-2006-0006
Performance Impact: Low
Protection Type: IPS
Description URL: wmp_help.html
Type: Log
Blade: IPS
Origin: external
Product Family: Threat
Lastupdateseqnum: 1
Interface Direction: inbound
Service ID: http
Source Port: 49705
Destination Port: 80
IP Protocol: 6
Session Identification Number:0x65f74f5f,0x3,0x569966d7,0xc1af8946
Policy Rule UID: 9f887ba5-72f7-469b-aecf-980de623d8ff
Threat Prevention Rule ID: 994AB773-A030-41C4-B943-459470D0CE66
Reject ID Kid: 65f74f5f-2-569966d7-c1af8946
Member Id: 1_1
Action: Prevent
Service: TCP
Resource: http://assets1.xboxlive.com/14/8c500d02-8908-4a45-b423-5d8650f3f155/bootrb.bin
Suppressed Logs: 4
Sent Bytes: 0
Received Bytes: 528
Tags: Vendor_MS, Product_Media_Player, Threat_Year_2006, Threat_Prevalence_True, CVSS_9_3, Protection_Type_Vulnerability, Vul_Type_Buffer_Overflow, Product_Prevalence_Common, Tuning_Configurable, File_Type_BMP, Protocol_HTTP, Direction_CLIENT
Bytes (sent\received): 0 B \ 528 B

 

I won't necessarily say this makes Palo Alto "better". It all comes down to whether this is indeed a "false positive" or not. I find it strange that Palo Alto, even running "Strict", does not react to this, while Check Point labels it as Severity: High, Confidence Level: High. It seems odd for Microsoft to run Xbox system updates in a way that would legitimately trigger IPS protections.

 

In this scenario, I would consider it a "false positive" based on legitimate Microsoft traffic, Xbox system updates from an Xbox Series X with the resource being "assets1.xboxlive.com". I feel very confident about creating an exception for this traffic.

 

But I don't know if this traffic is a "false positive" from Check Point or if something about this traffic should indeed trigger the "Microsoft Media Player BMP file handling buffer overflow (MS06-005)" protection.

 

How would you usually treat and react to IPS protections like this? Would you consider it beneficial or negative for Check Point to seem more aggressive with its IPS protections compared to competitors like Palo Alto?

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend

I would be very glad if CP points out the XBox traffic - no one in my company should play use an XBox at his desk 😉

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
RamGuy239
Advisor
Advisor

It was the most accessible and apparent example I had on hand, especially considering that Check Point marks are at High Severity and High Confidence. It is strange that one company does not react at all, even when running a Strict profile, while the other will drop it even with the leanest profile.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
PhoneBoy
Admin
Admin

If you believe the issue is a false positive, it should be taken with the TAC with the relevant packet captures.

0 Kudos
Lesley
Leader Leader
Leader

I can confirm this. Also the relevant sk for making the capture 

sk181440

The SK details how to collect this traffic with or without HTTPS inspection.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Timothy_Hall
Legend Legend
Legend

The "IPS Explorer" tool can be very helpful as it lets you see precisely what an IPS protection is looking for as far as signatures.  Very helpful for false positive analysis, see sk182083: IPS Explorer

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend

I read the sk you pointed out to, but its not clear to me based on the content there how one can be sure if something is false positive or not based on what it "spits out".

Andy

0 Kudos
PhoneBoy
Admin
Admin

The only way you're going to know if it's a false positive is if you know for certain the traffic that is getting blocked is legitimate.
Usually, false positives are determined by receiving feedback from users about a specific application "not working" or exhibiting unusual behavior.

0 Kudos
the_rock
Legend
Legend

Makes sense. I also asked guy in DTAC about that sk, but he said since its fairly new, its probably safer to parse through the IPS logs manually and check that way. I know its more "painful", but its definitely more accurate.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events