Confusing dates in Recent alerts

A3sal0n / FalconGate

A smart gateway to stop cyber criminals - Sponsored by Falcon Guard

https://falconguard.cz

GNU General Public License v3.0

252 stars 59 forks source link

Confusing dates in Recent alerts #19

Closed lmolent closed 7 years ago

lmolent commented 7 years ago

Hi, I think that columns "First seen" and "Last seen" are confusing because of "First seen" is apparently date of alert but "Last seen" is date of last seen of device not date of last seen event which was triggered alarm.

A3sal0n commented 7 years ago

hi @lmolent

Is your question related to alerts on new devices or other alerts? Could you explain better what you would like to see?

Thanks

lmolent commented 7 years ago

Hi. Is related to malicious activity alerts in tab "Recent alerts". Column named "First seen" is date when malicious activity was detected, that's ok, but column "Last seen" is not about last seen of this malicious activity but about last seen device activity in general, because this timestamp is updated (when I tested it) after each not-malicious traffic, what is confusig to me.

A3sal0n commented 7 years ago

Hi,

As you can see in the picture below, generated in our lab environment, the host with IP address ending in .106 was first reported in the network at 03:42:49. In this case the "last seen" time wasn't updated even if the host continued to be online having normal activity for few hours and launched a port scan on the gateway at 07:05:31.

selection_013

It seems that we're not able to replicate this behavior you described. Could you please provide some evidence of the issue in a screenshot as we did above? This could probably help further.

Thanks

lmolent commented 7 years ago

After first attempt connecting from my test host 192.168.1.20 to tor exit node by command

# telnet 92.240.254.98 80
Trying 92.240.254.98...
telnet: connect to address 92.240.254.98: Connection refused
telnet: Unable to connect to remote host

alert is detected:

screen shot 2017-03-27 at 14 10 14

That's ok, but "Last seen" column is updated regulary (every 2 minutes and 2 seconds :)) despite of no connection to 92.240.254.98 from my test host (checked by tcpdump).:

screen shot 2017-03-27 at 14 25 34

Of course, test host 192.168.1.20 must generate traffic through FalconGate to other networks (internet).

A3sal0n commented 7 years ago

Hi,

Thanks for the screenshots. This is not a desired behavior so we will look into it asap.

A3sal0n commented 7 years ago

Hi,

We fixed the issue you described in our latest commit (4d8b594)

Thanks for your help!