This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Forsaken_61
Explorer
‎2024-02-08 01:24 AM

Threat Emulation - Extend SNMP with Shell script Faulty

Hi!

I'm running an ON-prem security gateway that Is connected to a cloud Sandbox. I want to take out Threat Emulation statistics and send over to monitoring system.

Followed along this guide,
ATRG: Threat Emulation (checkpoint.com)
"Follow the following action plan (for detailed instructions, refer to
sk90860 - How to configure SNMP on Gaia OS - section "(IV-6) Advanced SNMP configuration - Extend SNMP with shell script"


The main goal is to monitor this OID,
.1.3.6.1.4.1.2620.1.49.5.1

"TE Malware Detected"



1. So I've enabled SNMP Agent in GAIA, version v3 only. Created a snmpuser with an authpriv, privacy protocol AES256 and authentication protocol SHA256.

2. Created a basic shell script that I put under under /home/admin/test.sh.
# Extract amount of malicious code
#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh
cpstat threat-emulation -f malware_detected

3. Disable the SNMP agent

4. Added this line under /etc/snmp/userDefinedSettings.conf
"extend .1.3.6.1.4.1.2620.1.49.5.1 test /bin/sh /home/admin/test.sh" 

5. Re-Enabled the SNMP agent

6. Here comes the problem, I'm unable to test the OID. Tried with these commands, but It's not working.

snmpwalk -v 2c -c test localhost .1.3.6.1.4.1.2620.1.49.5.1
"Timeout: No Response from localhost"

snmpwalk -v 3 -c test localhost .1.3.6.1.4.1.2620.1.49.5.1
"snmpwalk: Timeout"


Have anyone else experienced the same problem? 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2024-02-08 02:25 PM

What version/JHF?
You might try debugging snmpd: https://support.checkpoint.com/results/sk/sk56783 

0 Kudos
Forsaken_61
Explorer
‎2024-02-09 12:24 AM
In response to PhoneBoy

I'm running on R81_20_JUMBO_HF_MAIN Take: 26

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-09 05:33 PM
In response to Forsaken_61

And have you debugged snmpd?
There are some SNMP-related fixes in Take 43, but not sure they are relevant here.
This is probably going to involve a TAC case: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events