topic IPS/AV signature release notes or full list in Firewall and Security Management

IPS/AV signature release notes or full list

jdoe1979 — Fri, 14 Apr 2023 15:07:04 GMT

Hi all,

Are there any release notes for Threat updates for Quantum?
I need to have accounting visibility into signatures by severity, introduction date and type (AV/IPS) + overall signature count change between update releases as part of the project.
So far I could see there's some filtering on https://threatwiki.checkpoint.com/threatwiki/public.htm

but lacking in filtering options I need. Is there an option to escort the entire Threat DB into CVS somehow?

Re: IPS/AV signature release notes or full list

PhoneBoy — Fri, 14 Apr 2023 15:33:27 GMT

We have a mailing list that provides updates when IPS protections are updated.
Subscribe here: https://advisories.checkpoint.com/security-advisories-subscription/

You can get the entire list of protections via the Management API.
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-threat-protections~v1.9%20

Note that due to the number of results returned (several thousand), this will require multiple API calls using the offset parameter to return the next 50 results.
Using mgmt_cli and jq, it should be possible to turn this into a CSV file.

Re: IPS/AV signature release notes or full list

jdoe1979 — Fri, 14 Apr 2023 16:36:47 GMT

Understood.
Will CSV have all the selectors around type, date of incept, description?

Re: IPS/AV signature release notes or full list

PhoneBoy — Fri, 14 Apr 2023 17:28:29 GMT

It's easy enough to check: mgmt_cli -r true show threat-protections details-level "full" --format json | jq '.'

"protections": [ { "uid": "9118d0c5-83d8-42eb-807c-5c2ab3304f3e", "name": "29o3 CMS Remote Code Execution (CVE-2010-1922)", "type": "threat-protection", "domain": { "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde", "name": "SMC User", "domain-type": "domain" }, "severity": "High", "confidence-level": "Medium", "performance-impact": "Medium", "release-date": "20201028", "update-date": "20201028", "comments": "", "protection-type": "Threat Cloud", "follow-up": false, "industry-reference": [ "CVE-2010-1922" ] },

Re: IPS/AV signature release notes or full list

jdoe1979 — Sat, 15 Apr 2023 22:03:54 GMT

hm, I'm getting an error despite API status being fine (see below)

I was able to connect via Postman, but looks like this only covers IPS signatures and no visibility into AV.
I'd like it to filter on protection-type for AV, but not sure what the syntax is for AV.

MGR> mgmt_cli -r true show threat-protections details-level "full" --format json | jq '.' --port 4434

MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"

MGR> api status

API Settings:

---------------------

Accessibility: Require all granted

Automatic Start: Enabled

Processes:

Name State PID More Information

-------------------------------------------------

API Started 26850

CPM Started 26850 Check Point Security Management Server is running and ready

FWM Started 26335

APACHE Started 9941

Port Details:

-------------------

JETTY Internal Port: 54595

JETTY Documentation Internal Port: 58272

APACHE Gaia Port: 4434 (a non-default port)

When running mgmt_cli commands add '--port 4434'

When using web-services, add port 4434 to the URL

Profile:

-------------------

Machine profile: Large env resources profile with SME or Dedicated Log Server

CPM heap size: 1280m

Apache port retrieved from: httpd-ssl.conf

--------------------------------------------

Overall API Status: Started

--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:

------------

To collect troubleshooting data, please run 'api status -s <comment>'

Re: IPS/AV signature release notes or full list

PhoneBoy — Mon, 17 Apr 2023 16:59:50 GMT

The command string I provided only works in Expert mode.
clish commands don't support piping to other commands, nor does mgmt (the clish equivalent of mgmt_cli) support the -r true flag.

My understanding is threat-protections should include protections from other blades (not just IPS).
However, a lot of AV/AB protections are handled in ThreatCloud and won't appear in the API output.