Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RalfBauer
Explorer

Pattern Details of IPS Threat Cloud Protections

Dear fellow Check Mates!

We had once again a case where the IPS was preventing some production traffic. In order to find the root cause, we would need to understand what exactly is checked by a certain protection and what trigger conditions are used by that protection.

Is there any source where such details are documented?

Other products or tools (like e.g. Snort) provide repositories with the actual patterns and thresholds.

For the current case, we are looking for the protection 'PHP Web Shell Generic Backdoor' (CPAI-2014-2299), which was definitely triggering on some none PHP web server related communication. But we had other cases in the past as well.

Any hint or idea is much appreciated. Thank you very much in advance for your response.

Best Regards,
Ralf

0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee

The current process would involve forwarding a copy of the relevant logs and your traffic captures to TAC for investigation.

CCSM R77/R80/ELITE
0 Kudos
RalfBauer
Explorer

Thanks for the quick reply. That means, we would have to turn on packet capture logging for the affected threat prevention policy, wait for the next occurance of the issue and involve Checkpoint support afterwards, right?

Not what we were hoping for, as we were looking for some reference which would help us with our post mortem root cause analysis. But at least some option we may consider for future cases.

0 Kudos
Timothy_Hall
Champion Champion
Champion

Actually it is possible to examine precisely what IPS signatures are looking for when doing a false positive analysis via the new "IPS Explorer" tool.  This tool is not generally available but you can get your hands on it with the approval of Check Point Labs.  See sk182083: IPS Explorer.  Here is a screenshot from the SK showing the signature contents for a protection:

IPSExplorer.jpg

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events