CheckPoint防火墙跟踪日志中的规则号问题

network · 发表于 2007-4-15 10:06:21

CheckPoint防火墙跟踪日志中的规则号问题

在Checkpoint防火墙的规则设置中有一个track选项，其可以设置为Log，这样相关于此规则的行为就会被记录，事后可以通过SmartviewTracker来进行记录的分析，从而对防火墙的策略进行调整。

最近做一些该日志的分析时候发现很多记录里面的触发规则号非常大，根本就没有在设置的规则库之内，

终于在网上看到相关的文章，这些规则又是SmartDefense捣鬼，虽然没有在规则库出现，但是系统都会给这些SmartDefense的设置分配相应的规则号，下面就是收集到的规则号以及与之相应的事件原因，可能会不全，

如果谁有此内部文档分享一下...

规则号	原因	参考文档
994	Blaster Worm	CPAI-2003-11
995	Active Directory Replication with Windows 2003 SP1 (new DCE-RPC) Workaround: Edit $FWDIR/lib/dcerpc.def Solution: NG AI R55 HFA_16
996	RPC Denial-of-Service attack	CPAI-2003-11
997	Client tried to switch UUID, also: Active Directory Replication with Windows 2003 SP1 (new DCE-RPC) Workaround: Edit $FWDIR/lib/dcerpc.def	CPAI-2003-11
998	Malformed packet (Client to Server)	CPAI-2003-11 CPAI-2003-32 CPAI-2004-11
999	Malformed packet (Server to Client)	CPAI-2003-11
1999	Welchia/Nachi Worm	CPAI-2003-31
4999	ASN.1 Bit String attack	CPAI-2004-07
6991	Slammer Worm (Heap Overflow)	CPAI-2004-03
6992	MS-SQL Information Leak	CPAI-2004-03
6993	MS-SQL Heap-Overflow attack	CPAI-2004-03
6994	MS-SQL Denial-of-Service attack	CPAI-2004-03
6995	MS-SQL Pre-authentication buffer overflow	CPAI-2004-03
6996	MS-SQL Malformed Packet	CPAI-2004-03
6997	MS-SQL xp_cmdshell command	CPAI-2004-03
6998	MS-SQL sp_start_job command	CPAI-2004-03
6999	MS-SQL login with blank password	CPAI-2004-03 CPAI-2004-43 CPAI-2004-54
9923	Telnet Enforcement Violation	CPAI-2005-102
9980	Malformed JPEG file	CPAI-2004-42 CPAI-2005-124
9981	Malformed ANI file	CPAI-2005-06
9982	Malformed GIF file	CPAI-2005-53
9983	Malformed PNG file	CPAI-2005-99
9984	Malformed AVI file	CPAI-2005-130 CPAI-2005-137
9985	Malformed TIFF file	CPAI-2005-124
9989	Non-MD5 authenticated OSPF protocol	CPSA-2004-03 CPAI-2004-37
9990	Cisco IOS Denial-of-Service	CPAI-2003-26
9992	Invalid IGMP Traffic	CPAI-2005-01
40009	Witty Worm (UDP)	CPAI-2004-14
92101	Windows SMB Protection Violation	CPAI-2005-111
96106	VERITAS Backup Exec Unauthorized remote registration attempt	CPAI-2005-109
99022	SSH: Bock Malformed Key Exchange Init Message	CPAI-2006-069
99111	Detected SUN-RPC over TCP/UDP Lookup operation	CPAI-2004-57
99135	MS Message Queuing Protection Violation	CPAI-2005-112
99143	Block FETCH Command Buffer Overflow	CPAI-2006-046
99144	Block EXAMINE Command Buffer Overflow	CPAI-2006-046
99145	Block APPEND Command Buffer Overflow	CPAI-2006-046
99146	Block IMAP Directory Traversal	CPAI-2006-070
99179	Non-MD5 authenticated BGP protocol	CPSA-2004-03 CPAI-2005-08
99249	NFS: Illegal Mount Request	CPAI-2006-032
99389	LDAP Server remote Denial-of-Service	CPAI-2006-039
99443	Malformed SSL packet	CPAI-2004-13 CPAI-2004-19 CPAI-2004-38
99444	MS-RPC over CIFS Enforcement violation	CPAI-2005-136
99445	Microsoft Windows Plug and Play Vulnerability Protection / Zotob worm	CPAI-2005-120 CPAI-2005-139
99447	MS-RPC over CIFS Enforcement violation	CPAI-2005-136
99448	MS-RPC over CIFS violation	CPAI-2005-139
99449	MS-RPC over CIFS violation	CPAI-2005-1 40
99450	MS-RPC over CIFS violation	CPAI-2005-138
99452	Block Web Client vulnerability (MS06-008)	CPAI-2006-018
99454	MS Windows Server Service vulnerability (MS06-040)	CPAI-2006-097
99500	IKE Aggressive Mode	CPAI-2004-15
99501	ICMP packet with Null payload	CPAI-2004-20
99520	Non MD5-authenticated RIP protocol	CPSA-2004-03
99642	MS WINS replication protocol over TCP attack	CPAI-2004-61
99653	Excessive number of DNS Resource Records	CPAI-2004-49
99654	DNS reply shorter than 14 Bytes	CPAI-2004-49
99670	Malformed DHCP option length in packet	CPAI-2005-07
99742	MS WINS replication protocol over UDP attack	CPAI-2004-61
99801	Malformed ANI file	CPAI-2005-06
99803	Malformed PNG file	CPAI-2005-99
99804	Malformed AVI file	CPAI-2005-130 CPAI-2005-137
99805	Malformed JPEG file	CPAI-2005-124
99805	Block COM Object (MS05-038) Vulnerability	CPAI-2005-117
99807	Block COM Object (Msdds.dll) Vulnerability	CPAI-2005-148
99808	Block COM Object (Javaprxy.dll)) Vulnerability	CPAI-2005-117
99809	Block Mismatched DOM Object (KB 911302) Vulnerability	CPAI-2005-155
99810	Block COM Object (MS05-054) Vulnerability	CPAI-2005-158
99811	Block IsComponentInstalled Overflow Vulnerability	N/A
99812	Block createTextRange Overflow Vulnerability	CPAI-2006-033
99813	Block Block RDS.Dataspace MDAC Function Vulnerability (MS06-014)	CPAI-2006-043
99814	Block mhtml Redirection Vulnerability (CVE-2006-2111)	CPAI-2006-044
99815	Block COM Object Instantiation Vulnerability(MS06-013)	CPAI-2006-072
99816	Block COM Object Instantiation Memory Corruption Vulnerability (MS06-021)	CPAI-2006-073
99817	Block Microsoft JScript Remote Code Execution Vulnerability (MS06-023)	CPAI-2006-074
99818	Content Protection - Block ART Files	CPAI-2006-080
99877	CIFS Brute-Force Attack	CPSA-2006-001
99878	Malformed Embedded Web Fonts	CPSA-2006-010
99879	Malformed WMF/EMF	CPAI-2006-020
99880	Malformed BMP File	CPAI-2006-016
910000	VERITAS Backup Exec Unauthorized remote registration attempt	CPAI-2005-109
910001	VERITAS Backup Exec Unauthorized remote registration attempt	CPAI-2005-109
910002	VERITAS Backup Exec Agent Static Password Protection	CPAI-2005-121

账号		自动登录	找回密码
密码			注册