adragon218
asked on
checkpoint firewall any hacking detection
Any hacking detection in checkpoint firewall 4.0
running in window nt to detect people scan port in
firewall , how to do this?
I hope the detection can make alert such as email to
us .Is this possible?
running in window nt to detect people scan port in
firewall , how to do this?
I hope the detection can make alert such as email to
us .Is this possible?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Version 4.1 is suppoed to have quite an extensive reporting tool which can detect portscans.
In version 4, just use the log viewer and filter on 'alerts' (I assume you've got dodgy services setup to alert)
In version 4, just use the log viewer and filter on 'alerts' (I assume you've got dodgy services setup to alert)
yes, you use the stock cpmad (checkpoint malicious activity detection) module.
look in your [checkpoint_dir]\conf\cpma d_~1.con file. it should be fairly self explanatory here's a sample of some of the settings you might consider:
# MAD mode
MAD_system_mode = on
MAD_port_scanning_mode = on
MAD_port_scanning_time_int erval = 30
MAD_port_scanning_repetiti ons = 75
MAD_port_scanning_action = alert
MAD_successive_alerts_mode = on
MAD_successive_alerts_reso lution = 50
MAD_successive_alerts_time _interval = 600
MAD_successive_alerts_repe titions = 75
MAD_successive_alerts_acti on = alert
then go to the log and alert tab in the fwlog setup properties window and provide a valid sendmail command in the mail alert textbox. ie.
sendmail -s "Possible Network Attack" admin@mydomain.com
-hope this helps.
look in your [checkpoint_dir]\conf\cpma
# MAD mode
MAD_system_mode = on
MAD_port_scanning_mode = on
MAD_port_scanning_time_int
MAD_port_scanning_repetiti
MAD_port_scanning_action = alert
MAD_successive_alerts_mode
MAD_successive_alerts_reso
MAD_successive_alerts_time
MAD_successive_alerts_repe
MAD_successive_alerts_acti
then go to the log and alert tab in the fwlog setup properties window and provide a valid sendmail command in the mail alert textbox. ie.
sendmail -s "Possible Network Attack" admin@mydomain.com
-hope this helps.
I don't know what you are trying to do but it is not worth the effort watching for port scans. All IP addresses will be port scanned regularly by script kiddies using automated procedures. You don't even have to have a site that has any kind of publicity. When they find a host that responds they will try to attack the open ports.
We ignore port scans. An immediate email alarm is also usuallly pointless because the scan is usually run in a unattended script. The associated hack attempt will probably come 24 - 48 hours later. Scans are part of everyday life on the internet. Now intrusion detection for open ports is another ballpark .........
We ignore port scans. An immediate email alarm is also usuallly pointless because the scan is usually run in a unattended script. The associated hack attempt will probably come 24 - 48 hours later. Scans are part of everyday life on the internet. Now intrusion detection for open ports is another ballpark .........
i'd agree with toni, theoretically your firewall is your stronghold, port-scanning detection is an overkill and expense on resources. ids is a much better alternative.
but i guess it depends on what information you hope to gather from the port scans? if it's just targetted ports ie. it seems that there's an increase of scans between the x and y range, or between the hours of a and b there is a significant pattern increase from xyz net, then that is valuable, quantitative, reportable information...
unfortunately it's also not quality information...if it's purpose is in attempts to twart port-scanning or capture information needed to prosecute an individual; you'll only succeed in causing service interruption and mass alerts to undue or non-existant hosts by relying on unverified/spoofed source information.
here's a simple reliability and determination breakdown:
tcp scan - one host (ain't that host, or host doesn't exist, or maybe just someone who ain't to bright)
udp scan - one host (if it's not a result of the same brilliance above, then you're probably already in real trouble)
tcp/udp scan - hundreds or thousands of hosts (which one is it?)
but i guess it depends on what information you hope to gather from the port scans? if it's just targetted ports ie. it seems that there's an increase of scans between the x and y range, or between the hours of a and b there is a significant pattern increase from xyz net, then that is valuable, quantitative, reportable information...
unfortunately it's also not quality information...if it's purpose is in attempts to twart port-scanning or capture information needed to prosecute an individual; you'll only succeed in causing service interruption and mass alerts to undue or non-existant hosts by relying on unverified/spoofed source information.
here's a simple reliability and determination breakdown:
tcp scan - one host (ain't that host, or host doesn't exist, or maybe just someone who ain't to bright)
udp scan - one host (if it's not a result of the same brilliance above, then you're probably already in real trouble)
tcp/udp scan - hundreds or thousands of hosts (which one is it?)
also, the ones who are capable of staging a successful attack aren't going to blast you...they'll do it softly, without making waves, over many months....one port a day, maybe two and always from a different source.
CPMAD sucks. :)
If you want IDS, go for an external unit. The firewall's already too busy running other stuff !
The Webtrends Firewall Suite is an entry level log scanning product - could be worth a shot, as decent IDS systems are quite expensive.
If you want IDS, go for an external unit. The firewall's already too busy running other stuff !
The Webtrends Firewall Suite is an entry level log scanning product - could be worth a shot, as decent IDS systems are quite expensive.
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY. Moderators Computer101 or Netminder will return to finalize these if still open in seven days. Please post closing recommendations before that time.
Question(s) below appears to have been abandoned. Your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you. You must tell the participants why you wish to do this, and allow for Expert response.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question. Again, please comment to advise the other participants why you wish to do this.
For special handling needs, please post a zero point question in the link below and include the question QID/link(s) that it regards.
https://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
Please click the Help Desk link on the left for Member Guidelines, Member Agreement and the Question/Answer process. https://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp
Please click you Member Profile to view your question history and keep them all current with updates as the collaboration effort continues, to track all your open and locked questions at this site. If you are an EE Pro user, use the Power Search option to find them.
To view your open questions, please click the following link(s) and keep them all current with updates.
https://www.experts-exchange.com/questions/Q.20066320.html
https://www.experts-exchange.com/questions/Q.20077437.html
https://www.experts-exchange.com/questions/Q.20077440.html
https://www.experts-exchange.com/questions/Q.20090027.html
https://www.experts-exchange.com/questions/Q.20100231.html
https://www.experts-exchange.com/questions/Q.20114643.html
https://www.experts-exchange.com/questions/Q.20120132.html
https://www.experts-exchange.com/questions/Q.20071195.html
https://www.experts-exchange.com/questions/Q.20149689.html
https://www.experts-exchange.com/questions/Q.20162087.html
https://www.experts-exchange.com/questions/Q.20164390.html
https://www.experts-exchange.com/questions/Q.20169921.html
https://www.experts-exchange.com/questions/Q.20184141.html
https://www.experts-exchange.com/questions/Q.20235450.html
https://www.experts-exchange.com/questions/Q.20236629.html
https://www.experts-exchange.com/questions/Q.20241715.html
https://www.experts-exchange.com/questions/Q.20242281.html
https://www.experts-exchange.com/questions/Q.20251302.html
https://www.experts-exchange.com/questions/Q.20230721.html
https://www.experts-exchange.com/questions/Q.20258985.html
https://www.experts-exchange.com/questions/Q.20263165.html
To view your locked questions, please click the following link(s) and evaluate the proposed answer.
https://www.experts-exchange.com/questions/Q.20094421.html
https://www.experts-exchange.com/questions/Q.20237806.html
https://www.experts-exchange.com/questions/Q.20254761.html
https://www.experts-exchange.com/questions/Q.20254818.html
PLEASE DO NOT AWARD THE POINTS TO ME.
------------> EXPERTS: Please leave any comments regarding your closing recommendations if this item remains inactive another seven (7) days. Also, if you are interested in the cleanup effort, please click this link https://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
Thank you everyone.
Moondancer
Moderator @ Experts Exchange
P.S. For any year 2000 questions, special attention is needed to ensure the first correct response is awarded, since they are not in the comment date order, but rather in Member ID order.
Question(s) below appears to have been abandoned. Your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you. You must tell the participants why you wish to do this, and allow for Expert response.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question. Again, please comment to advise the other participants why you wish to do this.
For special handling needs, please post a zero point question in the link below and include the question QID/link(s) that it regards.
https://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
Please click the Help Desk link on the left for Member Guidelines, Member Agreement and the Question/Answer process. https://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp
Please click you Member Profile to view your question history and keep them all current with updates as the collaboration effort continues, to track all your open and locked questions at this site. If you are an EE Pro user, use the Power Search option to find them.
To view your open questions, please click the following link(s) and keep them all current with updates.
https://www.experts-exchange.com/questions/Q.20066320.html
https://www.experts-exchange.com/questions/Q.20077437.html
https://www.experts-exchange.com/questions/Q.20077440.html
https://www.experts-exchange.com/questions/Q.20090027.html
https://www.experts-exchange.com/questions/Q.20100231.html
https://www.experts-exchange.com/questions/Q.20114643.html
https://www.experts-exchange.com/questions/Q.20120132.html
https://www.experts-exchange.com/questions/Q.20071195.html
https://www.experts-exchange.com/questions/Q.20149689.html
https://www.experts-exchange.com/questions/Q.20162087.html
https://www.experts-exchange.com/questions/Q.20164390.html
https://www.experts-exchange.com/questions/Q.20169921.html
https://www.experts-exchange.com/questions/Q.20184141.html
https://www.experts-exchange.com/questions/Q.20235450.html
https://www.experts-exchange.com/questions/Q.20236629.html
https://www.experts-exchange.com/questions/Q.20241715.html
https://www.experts-exchange.com/questions/Q.20242281.html
https://www.experts-exchange.com/questions/Q.20251302.html
https://www.experts-exchange.com/questions/Q.20230721.html
https://www.experts-exchange.com/questions/Q.20258985.html
https://www.experts-exchange.com/questions/Q.20263165.html
To view your locked questions, please click the following link(s) and evaluate the proposed answer.
https://www.experts-exchange.com/questions/Q.20094421.html
https://www.experts-exchange.com/questions/Q.20237806.html
https://www.experts-exchange.com/questions/Q.20254761.html
https://www.experts-exchange.com/questions/Q.20254818.html
PLEASE DO NOT AWARD THE POINTS TO ME.
------------> EXPERTS: Please leave any comments regarding your closing recommendations if this item remains inactive another seven (7) days. Also, if you are interested in the cleanup effort, please click this link https://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
Thank you everyone.
Moondancer
Moderator @ Experts Exchange
P.S. For any year 2000 questions, special attention is needed to ensure the first correct response is awarded, since they are not in the comment date order, but rather in Member ID order.
Admin notified of User neglect. Force-accepted by
Netminder
CS Moderator
Netminder
CS Moderator
http://www.cert.org/incident_notes/IN-98.04.html