Eliminating False Positives

Services that Generate Events

Some types of services are characterized by a high quantity of traffic that can be misidentified as events. These are examples of services and protocols that can potentially generate events:

Common Events by Service

The information in this table provides a list of server types where high activity is frequently used. To change the Event PolicyClosed Set of rules that define the behavior of SmartEvent., adjust event thresholds and add Exclusions for servers and services . You can decrease more the quantity of false positives detected.

Common events by service

Server Type

Category

Event Name

Source

Dest

Service

Reason

SNMP

Scans

IP sweep from internal network

Any

Any

SNMP-read

Hosts that query other hosts

DNS Servers

Scans

IP sweep from internal network

DNS servers

-

DNS

Inter-DNS servers updates

 

Denial of Service (DoS)

High connection rate on internal host on service

Any

DNS servers

DNS

DNS requests and inter-DNS servers updates

 

Anomalies

High connection rate from internal network

Any

Any

DNS

DNS requests and inter-DNS servers updates

 

Anomalies

High connection rate from internal network on service

Any

Any

DNS

DNS requests and inter-DNS servers updates

 

Anomalies

Abnormal activity on service

Any

Any

DNS

DNS requests and inter-DNS servers updates

NIS Servers

Scans

Port scan from internal network

NIS servers

Any

-

Multiple NIS queries

 

Denial of Service (DoS)

High connection rate on internal host on service

Any

NIS servers

NIS

NIS queries

 

Anomalies

High connection rate from internal network

Any

Any

NIS

NIS queries

 

Anomalies

High connection rate from internal network on service

Any

Any

NIS

NIS queries

 

Anomalies

Abnormal activity on service

Any

Any

NIS

NIS queries

LDAP Servers

Denial of Service (DoS)

High connection rate on internal host on service

Any

LDAP servers

LDAP

LDAP requests

 

Anomalies

High connection rate from internal network

Any

LDAP servers

LDAP

LDAP requests

 

Anomalies

High connection rate from internal network on service

Any

LDAP servers

LDAP

LDAP requests

 

Anomalies

Abnormal activity on service

Any

LDAP servers

LDAP

LDAP requests

HTTP Proxy Servers - Hosts To Proxy Server

Denial of Service (DoS)

High connection rate on internal host on service

Any

Proxy servers

HTTP:8080

Hosts connections to Proxy servers

 

Anomalies

High connection rate from internal network

Any

Proxy servers

HTTP:8080

Hosts connections to Proxy servers

 

Anomalies

High connection rate from internal hosts on service

Any

Proxy servers

HTTP:8080

Hosts connections to Proxy servers

 

Anomalies

Abnormal activity on service

Any

Proxy servers

HTTP:8080

Hosts connections to Proxy servers

HTTP Proxy Servers - Out to the Web

Scans

IP sweep from internal network

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

 

Denial of Service (DoS)

High connection rate on internal host on service

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

 

Anomalies

High connection rate from internal network

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

 

 

High connection rate from internal hosts on service

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

 

Anomalies

Abnormal activity on service

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

UFP Servers

Denial of Service (DoS)

High connection rate on internal host on service

Any

UFP servers

Any/UFP by vendor

Firewall connections to UFP servers

 

Anomalies

High connection rate from internal network

Any

UFP servers

Any/UFP by vendor

Firewall connections to UFP servers

 

Anomalies

High connection rate from internal hosts on service

Any

UFP servers

Any/UFP by vendor

Firewall connections to UFP servers

 

Anomalies

Abnormal activity on service

Any

UFP servers

Any/UFP by vendor

Firewall connections to UFP servers

CVP Servers Request

Denial of Service (DoS)

High connection rate on internal host on service

Any

CVP servers

Any/CVP by vendor

Firewall connections to CVP servers

 

Anomalies

High connection rate from internal network

Any

CVP servers

Any/CVP by vendor

Firewall connections to CVP servers

 

Anomalies

High connection rate from internal hosts on service

Any

CVP servers

Any/CVP by vendor

Firewall connections to CVP servers

 

Anomalies

Abnormal activity on service

Any

CVP servers

Any/CVP by vendor

Firewall connections to CVP servers

CVP Servers Replies

Scans

Port scans from internal network

CVP servers

Any

-

Multiple CVP replies to same GW

 

Scans

IP sweep from internal network

CVP servers

-

CVP

CVP replies to multiple GWs

 

Denial of Service (DoS)

High connection rate on internal host on service

CVP servers

Any

Any/CVP by vendor

CVP replies

 

Anomalies

High connection rate from internal network

CVP servers

Any

Any/CVP by vendor

CVP replies

 

Anomalies

High connection rate from internal hosts on service

CVP servers

Any

Any/CVP by vendor

CVP replies

 

Anomalies

Abnormal activity on service

CVP servers

Any

Any/CVP by vendor

CVP replies

UA Server Request

Denial of Service (DoS)

High connection rate on internal host on service

Any

UA servers

uas-port (TCP:19191 TCP:19194)

Connections to UA servers

 

Anomalies

High connection rate from internal network

Any

UA servers

(TCP:19191 TCP:19194)

Connections to UA servers

 

Anomalies

High connection rate from internal hosts on service

Any

UA servers

uas-port (TCP:19191 TCP:19194)

Connections to UA servers

 

Anomalies

Abnormal activity on service

Any

UA servers

uas-port (TCP:19191 TCP:19194)

Connections to UA servers

UA Servers Replies

Scans

Port scans from internal network

UA servers

Any

-

Multiple UA replies to the same computer

 

Scans

IP sweep from internal network

UA servers

Any

uas-port (TCP:19191 TCP:19194)

Multiple UA replies to multiple computers

 

Denial of Service (DoS)

High connection rate on internal host on service

UA servers

Any

uas-port (TCP:19191 TCP:19194)

UA replies

 

Anomalies

High connection rate from internal network

UA servers

Any

uas-port (TCP:19191 TCP:19194)

UA replies

 

Anomalies

High connection rate from internal hosts on service

UA servers

Any

uas-port (TCP:19191 TCP:19194)

UA replies

 

Anomalies

Abnormal activity on service

UA servers

Any

uas-port (TCP:19191TCP:19194)

UA replies

SMTP Servers

Scans

IP sweep from internal network

SMTP servers

-

SMTP

SMTP servers connections out to various SMTP servers

 

Denial of Service (DoS)

High connection rate on internal host on service

SMTP servers

Any

SMTP

SMTP servers connections out to various SMTP servers

 

Anomalies

High connection rate from internal network

SMTP servers

Any

SMTP

SMTP servers connections out to various SMTP servers

 

Anomalies

High connection rate from internal hosts on service

SMTP servers

Any

SMTP

SMTP servers connections out to various SMTP servers

 

Anomalies

Abnormal activity on service

SMTP servers

Any

SMTP

SMTP servers connections out to various SMTP servers

Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. Definition Servers

Scans

IP sweep from internal network

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment

 

Denial of Service (DoS)

High connection rate on internal host on service

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment

 

Anomalies

High connection rate from internal network

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment

 

Anomalies

High connection rate from internal hosts on service

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment

 

Anomalies

Abnormal activity on service

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment