Monitoring Suspicious Activity Rules

Suspicious Activity Monitoring (SAM) is a utility integrated in SmartView Monitor. It blocks activities that you see in the SmartView Monitor results and that appear to be suspicious. For example, you can block a user who tries several times to gain unauthorized access to a network or internet resource.

A Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with SAM enabled has Firewall rules to block suspicious connections that are not restricted by the security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. These rules are applied immediately (policy installation is not required).

The Need for Suspicious Activity Rules

Connections between enterprise and public networks are a security challenge as they leave the network and its applications open to attack. You must be able to inspect and identify all inbound and outbound network activity and decide if it is suspicious.

Creating a Suspicious Activity Rule

SAM rules use CPU resources. Therefore, set an expiration time so you can inspect traffic but not negatively affect performance.

If you confirm that an activity is risky, edit the Security Policy, educate users, or handle the risk.

You can block suspicious activity based on source, destination, or service.

To block an activity:

  1. In the SmartView Monitor, click the Suspicious Activity Rules icon in the toolbar.

    The Enforced Suspicious Activity Rules window opens.

  2. Click Add.

    The Block Suspicious Activity window opens.

  3. In Source and in Destination, select IP or Network:

    • To block all sources or destinations that match the other parameters, enter Any.

    • To block one suspicious source or destination, enter an IP Address and Network Mask.

  4. In Service:

    • To block all connections that fit the other parameters, enter Any.

    • To block one suspicious service or protocol, click the button and select a service from the window that opens.

  5. In Expiration, set a time limit.

  6. Click Enforce.

To create an activity rule based on TCP or UDP use:

  1. In the Block Suspicious Activity window , click Service.

    The Select Service window opens.

  2. Click Custom Service.

  3. Select TCP or UDP.

  4. Enter the port number.

  5. Click OK.

To define SmartView Monitor actions on rule match:

  1. In the Block Suspicious Activity window, click Advanced.

    The Advanced window opens.

  2. In Action, select the Firewall action for SmartView Monitor to do on ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. match:

    • Notify - Send a message about the activity, but do not block it.

    • Drop - Drop packets, but do not send a response. The connection will time out.

    • Reject - Send an RST packet to the source and close the connection.

  3. In Track, select No Log, Log or Alert.

  4. If the action is Drop: To close the connection immediately on rule match, select Close connections.

  5. Click OK.

Creating a Suspicious Activity Rule from Results

If you monitor traffic, and see a suspicious result, you can create an SAM rule immediately from the results.

Note - You can only create a Suspicious Activity rule for Traffic views with data about the Source or Destination (Top Sources, Top P2P Users, and so on).

To create an SAM rule:

  1. In SmartView Monitor open a Traffic view.

    The Select Gateway / Interface window opens.

  2. Select an object.

  3. Click OK.

  4. In the Results, right-click the bar in the chart (or the row in the reportClosed Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent.), that represents the source, destination, or other traffic property to block.

  5. Select Block Source.

    The Block Suspicious Activity window opens.

  6. Create the rule.

  7. Click Enforce.

For example:

Your corporate policy does not allow to share peer2peer file, and you see it in the Traffic > Top P2P Users results.

  1. Right-click the result bar and select Block Source.

    The SAM rule is set up automatically with the user IP address and the P2P_File_Sharing_Applications service.

  2. Click Enforce.

  3. For the next hour, while this traffic is dropped and logged, contact the user.

Managing Suspicious Activity Rules

The Enforced Suspicious Activity Rules window shows the currently enforced rules. If you add a rule that conflicts with another rule, the conflicting rule remains hidden. For example, if you define a rule to drop http traffic, and a rule exists to reject http traffic, only the drop rule shows.

sam_alert

Description

For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information received from the standard input.

For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts mechanism.

For more information, see the R81 CLI Reference Guide - Chapter Security Management Server Commands - Section sam_alert.