Syslog Integration with CheckPoint

By Raghu K in Check Point
11557 Views
0 Comments

Forwarding CheckPoint Logs to Syslog Server

This document captures the configuration of Syslog and logs of different blades that will be seen in SmartView Tracker and syslog with the following scenarios:

Scenario 1: R77.30 Mgmt and R77.30 GW, Syslog forwarded through Gateway (Limitation some logs will be hidden)

Scenario 2: R77.30 Mgmt and R77.30 GW, Syslog forwarded through Mgmt (Limitation all logs forwarded to /var/log/messages and then to syslog server)

Scenario 3: R80 Mgmt and R77.30 GW, Syslog forwarded through Mgmt (Limitation all logs forwarded to /var/log/messages and then to syslog server)

In this article, we have shown the logs of the below software blades:

1. Firewall

2. IPS

3. Anti-Virus

4. Anti-Bot

5. Application Control &

6. URL Filtering

Scenario 1: Forwarding the Traffic Logs from R77.30 Firewall to Syslog Server

In this scenario, am making the firewall to send the traffic logs to both Management Server and Syslog Server directly.

Note: Only Traffic logs can be seen on the Syslog server and there will be no /var/log/messages.

1. Install the R77.30 Add-on on Management Server via CPUSE.

2. Create the Syslog Server object in SmartDashboard.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-102.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-103.png

3. Under “Send logs and alerts to these log servers”, add the Syslog server object along with the original management server object.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-104.png

4. Enable the fwsyslog_enable parameter on the Firewall either on-the fly or permanent and install the Policy.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-105.png

Firewall Software Blade Log:

1. Accessed the website https://qostechnology.in/ whose ip-address is 166.62.28.120.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-106.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-107.png

2017-01-30 16:07:33 System0.Notice 10.10.10.254 Jan 30 16:07:33+05:1800 10.10.10.254 Action=”accept” UUid=”{0x588f176d,0x3,0xfe0a0a0a,0xc0000000}” inzone=”Internal” outzone=”External” rule=”3″ rule_uid=”{E6149B4A-DF60-4500-A097-5557F547A675}” rule_name=”Internet Access” service_id=”http” src=”10.10.10.5″ dst=”166.62.28.120″ proto=”6″ xlatesrc=”10.10.18.254″ NAT_rulenum=”4″ NAT_addtnl_rulenum=”1″ product=”VPN-1 & FireWall-1″ service=”80″ s_port=”1445″ xlatesport=”10381″ product_family=”Network”

URL Filtering Software Blade Log:

1. Accessed the website https://qostechnology.in/

https://qostechnology.in/wp-content/uploads/2017/01/word-image-108.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-109.png

2017-01-30 16:07:36 System0.Notice 10.10.10.254 Jan 30 16:07:34+05:1800 10.10.10.254 Action=”allow” UUid=”{0x588f176e,0x0,0xfe0a0a0a,0xc0000000}” src=”10.10.10.5″ dst=”166.62.28.120″ proto=”6″ appi_name=”******” app_desc=”******” app_id=”******” app_category=”******” matched_category=”******” app_properties=”******” app_risk=”******” app_rule_id=”******” app_rule_name=”******” web_client_type=”Firefox” web_server_type=”Apache” resource=”https://qostechnology.in/” proxy_src_ip=”10.10.10.5″ product=”URL Filtering” service=”80″ s_port=”1445″ product_family=”Network”

Application Control Software Blade Log:

1. Tried to block Winscp Application and the logs are shown below:

https://qostechnology.in/wp-content/uploads/2017/01/word-image-110.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-111.png

2017-01-30 17:37:18 System0.Notice 10.10.10.254 Jan 30 17:37:18+05:1800 10.10.10.254 Action=”block” UUid=”{0x588f2c76,0x3,0xfe0a0a0a,0xc0000000}” src=”10.10.10.5″ dst=”194.29.38.122″ proto=”6″ appi_name=”******” app_desc=”******” app_id=”******” app_category=”******” matched_category=”******” app_properties=”******” app_risk=”******” app_rule_id=”******” app_rule_name=”******” app_sig_id=”60343744:1″ proxy_src_ip=”10.10.10.5″ product=”Application Control” service=”22″ s_port=”1846″ product_family=”Network”

IPS Software Blade Log:

1. Performed a port scan on my firewall.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-112.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-113.png

01-30-2017 16:25:24 System0.Notice 10.10.10.254 Jan 30 16:25:22+05:1800 10.10.10.254 Action=”reject” UUid=”{0x0,0x0,0x0,0x0}” Protection Name=”Non-MD5 Authenticated BGP Connections” Severity=”3″ Confidence Level=”3″ protection_id=”bgp_protos” SmartDefense Profile=”Recommended_Protection” Performance Impact=”3″ Industry Reference=”CAN-2004-0589, CAN-2004-0230″ Protection Type=”protection” Attack Info=”Non-MD5 Authenticated BGP Protocol Detected on Connection” attack=”BGP Enforcement Violation” rule=”1″ rule_uid=”{547FE81C-AC6A-47A3-981F-9DCBB2606E80}” rule_name=”Mgmt Access” Total logs=”12″ Suppressed logs=”11″ proto=”6″ dst=”10.10.10.254″ src=”10.10.10.1″ product=”SmartDefense” service=”179″ FollowUp=”Not Followed” product_family=”Network”

Anti-Virus Software Blade Log:

1. Tested Downloading a malicious file with the below URL:

http://www.wicar.org/test-malware.html

https://qostechnology.in/wp-content/uploads/2017/01/word-image-114.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-115.png

01-30-2017 16:32:59 System0.Notice 10.10.10.254 Jan 30 16:32:59+05:1800 10.10.10.254 Action=”monitor” UUid=”{0x588f1d63,0x4,0xfe0a0a0a,0xc0000000}” src=”10.10.10.5″ dst=”62.0.58.94″ proto=”6″ session_id=”{0x588f1d63,0x4,0xfe0a0a0a,0xc0000000}” Protection name=”REP.ianwwg” description=”Connections to IP associated by DNS trap with malicious domain. See sk74060 for more information.” Source OS=”Windows” Confidence Level=”1″ severity=”2″ malware_action=”Access to site known to contain malware” Protection Type=”DNS Trap” malware_rule_id=”{1E90B500-246E-1F43-82F4-4E99FAD647B6}” Destination DNS Hostname=”malware.wicar.org” protection_id=”000AC512A” vendor_list=”Check Point ThreatCloud” log_id=”2″ scope=”10.10.10.5″ product=”New Anti Virus” service=”80″ s_port=”1687″

Anti-Bot Software Blade Log:

1. Tested the Bot link given by checkpoint article sk110481 .

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

https://qostechnology.in/wp-content/uploads/2017/01/word-image-116.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-117.png

2017-01-30 16:00:28 System0.Notice 10.10.10.254 Jan 30 16:00:26+05:1800 10.10.10.254 Action=”redirect” UUid=”{0x588f1348,0x3,0xfe0a0a0a,0xc0000000}” web_client_type=”Firefox” resource=”http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html” src=”10.10.10.5″ dst=”184.31.212.234″ proto=”6″ session_id=”{0x588f1348,0x3,0xfe0a0a0a,0xc0000000}” Protection name=”Check Point – Testing Bot” malware_family=”Check Point” Source OS=”Windows” Confidence Level=”5″ severity=”2″ malware_action=”Communication with C&C site” rule_uid=”{E6149B4A-DF60-4500-A097-5557F547A675}” rule_name=”Internet Access” Protection Type=”URL reputation” malware_rule_id=”{1E90B500-246E-1F43-82F4-4E99FAD647B6}” protection_id=”00233CFEE” log_id=”2″ proxy_src_ip=”10.10.10.5″ scope=”10.10.10.5″ product=”Anti Malware” service=”80″ s_port=”1414″

Scenario 2: Forwarding Traffic Logs stored on the R77.30 Management Server to Syslog Server

1. Add the below lines in the /etc/rc.d/init.d/cpboot file.

fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger -p local4.info -t CP_FireWall &

https://qostechnology.in/wp-content/uploads/2017/01/word-image-118.png

2. After this we are able to see the firewall logs in the /var/log/message directory.

Note: We can able to see the /var/log/message logs along with the Firewall logs as well.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-119.png

3. Now, send these messages to remote syslog server. Open ssh connection to Management server in normal user mode and enter the following command.

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

https://qostechnology.in/wp-content/uploads/2017/01/word-image-120.png

4. Able to see the Logs on the Syslog server from the Management Server (10.10.10.10).

a) Traffic logs on the Syslog server.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-121.png

b) /var/log/messages of the Management Server on Syslog Server.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-122.png

Firewall Software Blade Log:

1. Accessed the website https://qostechnology.in/ whose ip-address is 166.62.28.120.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-123.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-124.png

01-30-2017 19:41:43 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:41:35 accept 10.10.10.254 >eth0 inzone:Internal; outzone:External;rule:3;rule_uid:{E6149B4A-DF60-4500-A097-5557F547A675};rule_name:Internet Access; service_id:http; src:10.10.10.5;dst:166.62.28.120; proto:tcp; xlatesrc:10.10.18.254;NAT_rulenum:4;NAT_addtnl_rulenum:1;product:VPN-1 & FireWall-1;service:http;s_port:2158;xlatesport:11003;product_family:Network

URL Filtering Software Blade Log:

1. Accessed the website https://qostechnology.in/

https://qostechnology.in/wp-content/uploads/2017/01/word-image-125.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-126.png

01-30-2017 19:41:43 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:41:36 allow 10.10.10.254 <eth1 src:10.10.10.5;dst:166.62.28.120;proto:tcp; appi_name:qostechnology.in; app_id:1109311486;matched_category:Business / Economy;app_properties:Business / Economy,URL Filtering;app_risk:0; app_rule_id:{62C84CA0-0C82-4C07-B9BF-CD8F1CD67E17}; web_client_type:Firefox; web_server_type:Apache; resource:https://www.qostechnology.in/; proxy_src_ip:10.10.10.5; product:URL Filtering;service:http; s_port:2158;product_family:Network

Application Control Software Blade Log:

1. Tried to block Winscp Application and the logs are shown below:

https://qostechnology.in/wp-content/uploads/2017/01/word-image-127.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-128.png

01-30-2017 19:47:36 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:46:29 block 10.10.10.254 <eth0 src:10.10.10.5;dst:194.29.38.122; proto:tcp;appi_name:WinSCP; app_desc:WinSCP (Windows Secure CoPy) is a free and open source SFTP, SCP, and FTP client for Microsoft Windows. WinSCP’s main function is secure file transfer between a local and a remote computer. Supported from: R75.;app_id:60343744;app_category:Network Utilities;matched_category:Network Utilities;app_properties:Supports File Transfer, Encrypts communications, Medium Risk, Network Utilities;app_risk:3;app_rule_id:{4564C8D7-0A9C-4DA0-A353-B1D3428C95E4};app_rule_name:Block VLC; app_sig_id:60343744:1; proxy_src_ip:10.10.10.5;product:Application Control; service:ssh; s_port:2204; product_family:Network

IPS Software Blade Log:

1. Performed a port scan on my firewall.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-129.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-130.png

01-30-2017 19:54:50 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:54:11 reject 10.10.10.254 > Protection Name:Non-MD5 Authenticated BGP Connections;Severity:3; Confidence Level:3; protection_id:bgp_protos; SmartDefense Profile:Recommended_Protection; Performance Impact:3; Industry Reference:CAN-2004-0589, CAN-2004-0230;Protection Type:protection;Attack Info:Non-MD5 Authenticated BGP Protocol Detected on Connection;attack:BGP Enforcement Violation;rule:1;rule_uid:{547FE81C-AC6A-47A3-981F-9DCBB2606E80};rule_name:Mgmt Access;Total logs:12; Suppressed logs:11;proto:tcp;dst:10.10.10.254; src:10.10.10.1;product:SmartDefense;service:BGP;FollowUp:Not Followed;product_family:Network

Anti-Virus Software Blade Log:

1. Tested Downloading a malicious file with the below url:

http://www.wicar.org/test-malware.html

https://qostechnology.in/wp-content/uploads/2017/01/word-image-131.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-132.png

01-30-2017 19:57:48 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:57:41 monitor 10.10.10.254>eth0 src:10.10.10.5; dst:62.0.58.94; proto:tcp;session_id:{0x588f4058,0x3,0xfe0a0a0a,0xc0000000}; Protection name:REP.ianwwg; description:Connections to IP associated by DNS trap with malicious domain. See sk74060 for more information.;Source OS:Windows;Confidence Level:1;severity:2;malware_action:Access to site known to contain malware;Protection Type:DNS Trap;malware_rule_id:{1E90B500-246E-1F43-82F4-4E99FAD647B6};Destination DNS Hostname:malware.wicar.org; protection_id:000AC512A; vendor_list:Check Point ThreatCloud;log_id:2;scope:10.10.10.5; product:New Anti Virus;service:http;s_port:2211

Anti-Bot Software Blade Log:

1. Tested the Bot link given by checkpoint article sk110481 .

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

https://qostechnology.in/wp-content/uploads/2017/01/word-image-133.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-134.png

2017-01-30 20:03:35 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 20:02:05 block 10.10.10.254<eth0;web_client_type:Firefox;resource:http://sc1.checkpoint.com/za/images
/threatwiki/pages/TestAntiBotBlade.html;src:10.10.10.5;dst:184.31.212.234;proto:tcp;session_id:{0x588f4e65,0x2,0xfe0a0a0a,0xc0000000};Protection name:Check Point – Testing Bot;malware_family:Check Point;Source OS:Windows;Confidence Level:5;severity:2;malware_action:Communication with C&C site;rule_uid:{E6149B4A-DF60-4500-A097-5557F547A675};rule_name:Internet Access;Protection Type:URLreputation;malware_rule_id:{1E90B500-246E-1F43-82F4-4E99FAD647B6}; protection_id:00233CFEE;log_id:9999;proxy_src_ip:10.10.10.5;scope:10.10.10.5;Suppressed logs:1;sent_bytes:0;received_bytes:0;packet_capture_unique_id:10.10.10.5_maildir_sent_new_
time1485786726.mail-1565954732-392261992.localhost; packet_capture_time:1485786726; packet_capture_name:src-10.10.10.5.eml;UserCheck_incident_uid:7105BAFB-08F2-DF01-F36B-2F232920DC61;UserCheck:1;dlp_incident_uid:{588F4E65-0000-0002-FE0A-0A0AC0000000};portal_m…

2017-01-30 20:03:47 Local4.Info 10.10.10.10 CP_FireWall: r is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 2920DC61 ;UserCheck_Confirmation_Level:Application;frequency:1 days ;product:Anti Malware;service:http;s_port:2226

Scenario 3: Syslog forwarded through R80 Management Server

1. Add the below lines in the /etc/rc.d/init.d/cpboot file.

fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger -p local4.info -t CP_FireWall &

https://qostechnology.in/wp-content/uploads/2017/01/word-image-135.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-136.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-137.png

2. After this we are able to see the firewall logs in the /var/log/message directory.

Note: We can able to see the /var/log/message logs along with the Firewall logs as well.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-138.png

3. Now, send these messages to remote syslog server. Open ssh connection to Management server in normal user mode and enter the following command.

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

https://qostechnology.in/wp-content/uploads/2017/01/word-image-139.png

4. Able to see the Logs on the Syslog server from the Management Server (192.168.10.253).

https://qostechnology.in/wp-content/uploads/2017/01/word-image-140.png

Firewall Software Blade Log:

1. Accessed the website http://acme.com/ whose ip-address is 216.27.178.28.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-141.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-142.png

01-30-2017 21:27:14 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 21:17:09 1 accept 192.168.1.3 >Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; inzone: Internal; outzone: External; rule: 17; rule_uid: {C73E055B-3678-4257-AADF-434FAD7006A5}; rule_name: Complete Allow For Int Net; service_id: http; src: 192.168.12.153; dst: 216.27.178.28; proto: tcp; xlatesrc: 192.168.1.3; NAT_rulenum: 21; NAT_addtnl_rulenum: 1; ProductName: VPN-1 & FireWall-1; svc: http; sport_svc: 34891; xlatesport_svc: 26752; ProductFamily: Network;

URL Filtering Software Blade Log:

1. Accessed the website http://ndtv.com/

https://qostechnology.in/wp-content/uploads/2017/01/word-image-143.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-144.png

01-30-2017 21:39:36 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 21:29:31 1 allow 192.168.1.3 <Mgmt LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; src: 192.168.12.153; dst: 52.2.229.194; proto: tcp; appi_name: ndtv.com; app_id: 2894003724; matched_category: News / Media; app_properties: News / Media,URL Filtering; app_risk: 0; app_rule_id: {F741EBE9-D97B-4DF6-B3A3-55CC29C49CEE}; web_client_type: Chrome; web_server_type: Other: nginx/1.8.0; resource: http://ndtv.com/; proxy_src_ip: 192.168.12.153; ProductName: URL Filtering; svc: http; sport_svc: 36098; ProductFamily: Network;

Application Control Software Blade Log:

1. Tried to block Winscp Application and the logs are shown below.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-145.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-146.png

01-30-2017 21:53:50 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 21:43:46 1 block 192.168.1.3 <Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; src: 192.168.12.153; dst: 194.29.38.122; proto: tcp; appi_name: WinSCP; app_desc: WinSCP (Windows Secure CoPy) is a free and open source SFTP, SCP, and FTP client for Microsoft Windows. WinSCP’s main function is secure file transfer between a local and a remote computer. Supported from: R75.; app_id: 60343744; app_category: Network Utilities; matched_category: Network Utilities; app_properties: Supports File Transfer, Encrypts communications, Medium Risk, Network Utilities; app_risk: 3; app_rule_id: {D46D297F-B53A-475E-98DA-B34F7265CE3C}; app_rule_name: Raghu Testing Winscp Block; app_sig_id: 60343744:1; proxy_src_ip: 192.168.12.153; ProductName: Application Control; svc: ssh_version_2; sport_svc: 36909; ProductFamily: Network;

IPS Software Blade Log:

1. performed a port scan on our QOS firewall.

https://qostechnology.in/wp-content/uploads/2017/01/word-image-147.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-148.png

2017-01-30 22:34:19 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 22:24:13 1 reject 192.168.1.3 > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; Protection Name: Non-MD5 Authenticated BGP Connections; Severity: 0; Confidence Level: 3; protection_id: bgp_protos; SmartDefense Profile: Default_Protection_2df2f915b4001bd5; Performance Impact: 3; Industry Reference: CAN-2004-0589, CAN-2004-0230; Protection Type: protection; Attack Info: Non-MD5 Authenticated BGP Protocol Detected on Connection; attack: BGP Enforcement Violation; rule: 14; rule_uid: {C3A95356-AFCF-4897-8337-A2448109B4E5}; rule_name: Between all QOS LANs; Total logs: 12; Suppressed logs: 11; proto: tcp; dst: 192.168.12.1; src: 192.168.12.153; ProductName: SmartDefense; svc: BGP; ProductFamily: Network;

Anti-Virus Software Blade Log:

1. Tested Downloading a malicious file with the below url:

https://qostechnology.in/wp-content/uploads/2017/01/word-image-149.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-150.png

2017-01-30 22:23:09 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 22:12:51 1 prevent 192.168.1.3 >Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; src: 192.168.12.153; dst: 62.0.58.94; proto: tcp; session_id: {0x588f6d0b,0x10000,0x301a8c0,0xc0000001}; Protection name: REP.ianwwg; description: Connection to DNS trap bogus IP. See sk74060 for more information.; Source OS: Windows; Confidence Level: 1; severity: 1; malware_action: Access to site known to contain malware; Protection Type: DNS Trap; malware_rule_id: {ABA61341-AC30-3149-AF91-E5AC2B6B8E80}; Destination DNS Hostname: malware.wicar.org; protection_id: 000AC512A; vendor_list: Check Point ThreatCloud; log_id: 2; scope: 192.168.12.153; ProductName: New Anti Virus; svc: http; sport_svc: 44001; ProductFamily: Network;

Anti-Bot Software Blade Log:

1. Tested the Bot link given by checkpoint article sk110481 .

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

https://qostechnology.in/wp-content/uploads/2017/01/word-image-151.png

https://qostechnology.in/wp-content/uploads/2017/01/word-image-152.png

2017-01-30 22:19:02 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 22:08:57 1 block 192.168.1.3 <Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; web_client_type:Chrome;resource:http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html ; src: 192.168.12.153; dst: 23.211.213.229; proto: tcp; session_id: {0x588f6c21,0x10007,0x301a8c0,0xc0000002}; Protection name: Check Point – Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence Level: 5; severity: 2; malware_action: Communication with C&C site; rule_uid: {C73E055B-3678-4257-AADF-434FAD7006A5}; rule_name: Complete Allow For Int Net; Protection Type: URL reputation; malware_rule_id: {ABA61341-AC30-3149-AF91-E5AC2B6B8E80}; protection_id: 00233CFEE; log_id: 9999; proxy_src_ip: 192.168.12.153; scope: 192.168.12.153; Suppressed logs: 1; sent_bytes: 0; received_bytes: 0; packet_capture_unique_id: 192.168.12.153_maildir_sent_new_time1485794338.mail-989086109-484857403.localhost; packet_capture_time: 1485794338; packet_capture_name: s…

2017-01-30 22:19:02 Local4.Info 192.168.10.253 CP_FireWall: l; UserCheck_incident_uid: 9E71CD67-C8C2-DB14-D926-6F97BC2003CE; UserCheck: 1; dlp_incident_uid: {588F6C21-0001-0007-0301-A8C0C0000002}; portal_message: Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: BC2003CE ; UserCheck_Confirmation_Level: Application; frequency: 1 days ; LastUpdateTime: 30Jan2017 22:08:59; ProductName: Anti Malware; svc: http; sport_svc: 43860; ProductFamily: Network;

Leave a Reply

Your email address will not be published. Required fields are marked *

Take a sneak-peek into our minds.

Read our musings on what’s changing and impacting the world in the field of cyber security and analytics.

Subscribe our Newsletter and recieve updates directly to your inbox

We don't spam!

Big News 🙂 - FWHealth (Firewall Health Reporting Tool) is now 100% Free, Forever.Know More
+