This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RalfBauer
Explorer
4 weeks ago
Jump to solution

Pattern Details of IPS Threat Cloud Protections

Dear fellow Check Mates!

We had once again a case where the IPS was preventing some production traffic. In order to find the root cause, we would need to understand what exactly is checked by a certain protection and what trigger conditions are used by that protection.

Is there any source where such details are documented?

Other products or tools (like e.g. Snort) provide repositories with the actual patterns and thresholds.

For the current case, we are looking for the protection 'PHP Web Shell Generic Backdoor' (CPAI-2014-2299), which was definitely triggering on some none PHP web server related communication. But we had other cases in the past as well.

Any hint or idea is much appreciated. Thank you very much in advance for your response.

Best Regards,
Ralf

Labels
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion Champion
Champion
2 weeks ago
Jump to solution

Actually it is possible to examine precisely what IPS signatures are looking for when doing a false positive analysis via the new "IPS Explorer" tool.  This tool is not generally available but you can get your hands on it with the approval of Check Point Labs.  See sk182083: IPS Explorer.  Here is a screenshot from the SK showing the signature contents for a protection:

IPSExplorer.jpg

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

3 Replies
Chris_Atkinson
Employee Employee
Employee
4 weeks ago
Jump to solution

The current process would involve forwarding a copy of the relevant logs and your traffic captures to TAC for investigation.

CCSM R77/R80/ELITE
0 Kudos
RalfBauer
Explorer
4 weeks ago
In response to Chris_Atkinson
Jump to solution

Thanks for the quick reply. That means, we would have to turn on packet capture logging for the affected threat prevention policy, wait for the next occurance of the issue and involve Checkpoint support afterwards, right?

Not what we were hoping for, as we were looking for some reference which would help us with our post mortem root cause analysis. But at least some option we may consider for future cases.

0 Kudos
Timothy_Hall
Champion Champion
Champion
2 weeks ago
Jump to solution

Actually it is possible to examine precisely what IPS signatures are looking for when doing a false positive analysis via the new "IPS Explorer" tool.  This tool is not generally available but you can get your hands on it with the approval of Check Point Labs.  See sk182083: IPS Explorer.  Here is a screenshot from the SK showing the signature contents for a protection:

IPSExplorer.jpg

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events