Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

Hello guys!

I prepared a SNORT rule to drop DoS tools patterns like traffic, the rule is working fine, can you tell after how much time will the FW send the IP's attacking the network after matching the rule?

Or is there a way to put in the snort rule a way like send to sam or not?

Because I know that for snort there is snortsam a plugin for snort:

SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on following firewalls:

  • Checkpoint Firewall-1
  • Cisco PIX firewalls
  • Cisco Routers (using ACL's or Null-Routes)
  • Former Netscreen, now Juniper firewalls
  • IP Filter (ipf), available for various Unix-like OS'es such as FreeBSD?
  • FreeBSD?'s ipfw2 (in 5.x)
  • OpenBSD?'s Packet Filter (pf)
  • Linux IPchains
  • Linux IPtables
  • Linux EBtables
  • WatchGuard? Firebox firewalls
  • 8signs firewalls for Windows
  • MS ISA Server firewall/proxy for Windows
  • CHX packet filter
  • Ali Basel's Tracker SNMP through the SNMP-Interface-down plugin
  • ...and more to come...

Is there any kind of plugin or feature for the R77.30 FW/IPS?

Thank you vey much in advance.

1 Solution

Accepted Solutions
Highlighted
Admin
Admin

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

View solution in original post

0 Kudos
Reply
8 Replies
Highlighted
Admin
Admin

Just to clarify your question:

  • You have a snort rule you've created that matches traffic
  • Based on this rule triggering, you want to automatically block IP using fw sam/fw samp or similar

Correct?

0 Kudos
Reply
Highlighted
Explorer

Hi Dameon!

First of all thank you for your reply.

And that's that, I want it to automatically block the IP.

Thank you.

0 Kudos
Reply
Highlighted
Admin
Admin

I will check with R&D, but I do not believe this is possible out of the box.

It may be possible by monitoring logs and using that to trigger an fw sam/fw samp command to issue a block.

0 Kudos
Reply
Highlighted
Advisor

Hey,

Would you mind share that snort rule with me? Let me try with some bash script and see if that works.

0 Kudos
Reply
Highlighted
Admin
Admin

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

View solution in original post

0 Kudos
Reply
Highlighted
Advisor

Does some one know if customer rules (for example based on Snort) will be possible out of the box in the future?

0 Kudos
Reply
Highlighted
Admin
Admin

It can already be done as far as I know.

The above screenshot is individual to a specific protection.

0 Kudos
Reply
Highlighted
Advisor

Dameon, you are right. Here is the relevant chapter in the admin guide:

Configuring Specific Protections