Skip to content

Commit

Permalink
checkpoint: elastic#11894 add test sample to back up change
Browse files Browse the repository at this point in the history
  • Loading branch information
srilumpa committed Dec 19, 2024
1 parent a60adaf commit dc5c93f
Show file tree
Hide file tree
Showing 2 changed files with 91 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,4 @@
<134>1 2023-03-02T00:35:43Z gw-0b8ccd CheckPoint 15871 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x63ffef61,0x0,0x28b2a8c0,0x1f0e3dff}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677717343"; version:"5"; administrator:"System"; client_ip:"192.168.178.40"; domain_name:"SMC User"; fieldschanges:"IPS version was updated from 635158746 to 635231428"; operation:"IPS Update"; product:"cpmidu_update_tool"; sendtotrackerasadvancedauditlog:"0"; session_description:"IPS"; session_name:"IPS"; session_uid:"965d39eb-e2f5-46dc-bcc2-8684a53cac65"; subject:"IPS Update"]
<134>1 2023-03-02T03:28:09Z gw-0b8ccd CheckPoint 15871 - [action:"Block"; flags:"311552"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x291ee176,0x3488469e,0xdb759c74,0xc0134e9a}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677727689"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1677720751;policy_name=Standard\]"; confidence_level:"5"; dlp_incident_uid:"{640017C9-0000-0001-27C5-C5E7C1878B89}"; dst:"81.2.69.144"; frequency:"1 days "; http_host:"sc1.checkpoint.com"; lastupdatetime:"1677727691"; log_id:"4294967295"; malware_action:"Communication with C&C site"; malware_family:"Check Point"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; method:"GET"; packet_capture_name:"src-10.0.0.3.cap"; packet_capture_time:"1677727690"; packet_capture_unique_id:"time1677727689.id640acbe0.blade04"; policy:"Standard"; policy_time:"1677720775"; portal_message:"Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 498D79F3"; product:"Anti Malware"; protection_id:"00233CFEE"; protection_name:"Check Point - Testing Bot"; protection_type:"URL reputation"; proto:"6"; proxy_src_ip:"10.0.0.3"; resource:"http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"; s_port:"34416"; scope:"10.0.0.3"; service:"80"; service_id:"http"; session_id:"{0x640017c9,0x1,0x27c5c5e7,0xc1878b89}"; severity:"2"; smartdefense_profile:"Optimized"; src:"10.0.0.3"; layer_name:"Standard Threat Prevention"; layer_uuid:"{6CC286F4-87BC-412A-B231-8C63C30D978E}"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; smartdefense_profile:"Optimized"; user_agent:"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"; usercheck:"1"; usercheck_confirmation_level:"Application"; usercheck_incident_uid:"C9B778BF-CA91-A050-2673-53F9498D79F3"; usercheck_interaction_name:"Anti-Bot Blocked"; web_client_type:"Firefox"]
<134>1 2023-03-02T03:28:09Z gw-0b8ccd CheckPoint 15871 - [action:"Block"; flags:"311552"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x291ee176,0x3488469e,0xdb759c74,0xc0134e9a}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677727689"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1677720751;policy_name=Standard\]"; confidence_level:"5"; dlp_incident_uid:"{640017C9-0000-0001-27C5-C5E7C1878B89}"; dst:"81.2.69.144"; frequency:"1 days "; http_host:"sc1.checkpoint.com"; lastupdatetime:"1677727750"; log_id:"2"; malware_action:"Communication with C&C site"; malware_family:"Check Point"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; method:"GET"; packet_capture_name:"src-10.0.0.3.cap"; packet_capture_time:"1677727690"; packet_capture_unique_id:"time1677727689.id640acbe0.blade04"; policy:"Standard"; policy_time:"1677720775"; portal_message:"Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 498D79F3"; product:"Anti Malware"; protection_id:"00233CFEE"; protection_name:"Check Point - Testing Bot"; protection_type:"URL reputation"; proto:"6"; proxy_src_ip:"10.0.0.3"; received_bytes:"60"; resource:"http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"; s_port:"34416"; scope:"10.0.0.3"; sent_bytes:"0"; service:"80"; service_id:"http"; session_id:"{0x640017c9,0x1,0x27c5c5e7,0xc1878b89}"; severity:"2"; smartdefense_profile:"Optimized"; src:"10.0.0.3"; suppressed_logs:"1"; layer_name:"Standard Threat Prevention"; layer_uuid:"{6CC286F4-87BC-412A-B231-8C63C30D978E}"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; smartdefense_profile:"Optimized"; user_agent:"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"; usercheck:"1"; usercheck_confirmation_level:"Application"; usercheck_incident_uid:"C9B778BF-CA91-A050-2673-53F9498D79F3"; usercheck_interaction_name:"Anti-Bot Blocked"; web_client_type:"Firefox"]
<134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:"Accept"; flags:"16384"; ifdir:"inbound"; ifname:"eth4"; logid:"288"; loguid:"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}"; origin:"1.2.3.4"; originsicname:"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7"; sequencenum:"9"; time:"1734597254"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\]"; aggregated_log_count:"2"; connection_count:"2"; creation_time:"1734595323"; dst:"192.168.0.10"; duration:"1931"; hll_key:"6549446380911603098"; inzone:"Internal"; last_hit_time:"1734597254"; layer_name:"Network"; layer_name:"Admin Traffic"; layer_uuid:"c135090e-7d3a-44bf-b686-1589d3183102"; layer_uuid:"42f39ab2-d932-4b6b-abbf-8b6bd519e15b"; match_id:"34"; match_id:"67108866"; parent_rule:"0"; parent_rule:"34"; rule_action:"Inline"; rule_action:"Accept"; rule_name:"Traffic Outbound"; rule_name:"Traffic outbound"; rule_uid:"31aca655-e044-4f8d-91bf-5de3505f443b"; rule_uid:"ee877954-c304-4159-bda3-e8f78ed4a4fa"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; service:"389"; service_id:"ldap_udp"; src:"192.168.20.10"; update_count:"2"]
Original file line number Diff line number Diff line change
Expand Up @@ -1213,6 +1213,96 @@
"name": "Firefox",
"original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"
}
},
{
"checkpoint": {
"parent_rule": [
"0",
"34"
],
"rule_action": [
"Inline",
"Accept"
],
"origin_sic_name": "CN=cp_mgmt,O=gw-0b8ccd..zx8qy7",
"match_id": [
"34",
"67108866"
],
"update_count": "2",
"connection_count": "2",
"logid": "288",
"aggregated_log_count": "2"
},
"observer": {
"ingress": {
"interface": {
"name": "eth4"
},
"zone": "Internal"
},
"product": "VPN-1 & FireWall-1",
"vendor": "Checkpoint",
"name": "1.2.3.4",
"type": "firewall",
"egress": {
"zone": "External"
}
},
"@timestamp": "2024-12-19T08:34:14.000Z",
"ecs": {
"version": "8.11.0"
},
"related": {
"ip": [
"192.168.20.10",
"192.168.0.10"
]
},
"destination": {
"port": 389,
"ip": "192.168.0.10"
},
"rule": {
"name": [
"Traffic Outbound",
"Traffic outbound"
],
"uuid": [
"31aca655-e044-4f8d-91bf-5de3505f443b",
"ee877954-c304-4159-bda3-e8f78ed4a4fa"
]
},
"source": {
"ip": "192.168.20.10"
},
"event": {
"start": "2024-12-19T08:02:03.000Z",
"end": "2024-12-19T08:34:14.000Z",
"duration": 1931000000000,
"sequence": 9,
"original": "<134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:\"Accept\"; flags:\"16384\"; ifdir:\"inbound\"; ifname:\"eth4\"; logid:\"288\"; loguid:\"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}\"; origin:\"1.2.3.4\"; originsicname:\"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7\"; sequencenum:\"9\"; time:\"1734597254\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\\]\"; aggregated_log_count:\"2\"; connection_count:\"2\"; creation_time:\"1734595323\"; dst:\"192.168.0.10\"; duration:\"1931\"; hll_key:\"6549446380911603098\"; inzone:\"Internal\"; last_hit_time:\"1734597254\"; layer_name:\"Network\"; layer_name:\"Admin Traffic\"; layer_uuid:\"c135090e-7d3a-44bf-b686-1589d3183102\"; layer_uuid:\"42f39ab2-d932-4b6b-abbf-8b6bd519e15b\"; match_id:\"34\"; match_id:\"67108866\"; parent_rule:\"0\"; parent_rule:\"34\"; rule_action:\"Inline\"; rule_action:\"Accept\"; rule_name:\"Traffic Outbound\"; rule_name:\"Traffic outbound\"; rule_uid:\"31aca655-e044-4f8d-91bf-5de3505f443b\"; rule_uid:\"ee877954-c304-4159-bda3-e8f78ed4a4fa\"; outzone:\"External\"; product:\"VPN-1 & FireWall-1\"; proto:\"17\"; service:\"389\"; service_id:\"ldap_udp\"; src:\"192.168.20.10\"; update_count:\"2\"]",
"timezone": "UTC",
"kind": "event",
"action": "Accept",
"id": "{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}",
"category": [
"network"
]
},
"network": {
"name": [
"Network",
"Admin Traffic"
],
"transport": "udp",
"application": "ldap_udp",
"iana_number": "17",
"direction": "inbound"
},
"tags": [
"preserve_original_event"
]
}
]
}

0 comments on commit dc5c93f

Please sign in to comment.