cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

Hello guys!

I prepared a SNORT rule to drop DoS tools patterns like traffic, the rule is working fine, can you tell after how much time will the FW send the IP's attacking the network after matching the rule?

Or is there a way to put in the snort rule a way like send to sam or not?

Because I know that for snort there is snortsam a plugin for snort:

SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on following firewalls:

  • Checkpoint Firewall-1
  • Cisco PIX firewalls
  • Cisco Routers (using ACL's or Null-Routes)
  • Former Netscreen, now Juniper firewalls
  • IP Filter (ipf), available for various Unix-like OS'es such as FreeBSD?
  • FreeBSD?'s ipfw2 (in 5.x)
  • OpenBSD?'s Packet Filter (pf)
  • Linux IPchains
  • Linux IPtables
  • Linux EBtables
  • WatchGuard? Firebox firewalls
  • 8signs firewalls for Windows
  • MS ISA Server firewall/proxy for Windows
  • CHX packet filter
  • Ali Basel's Tracker SNMP through the SNMP-Interface-down plugin
  • ...and more to come...

Is there any kind of plugin or feature for the R77.30 FW/IPS?

Thank you vey much in advance.

1 Solution

Accepted Solutions
Admin
Admin

Re: SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

0 Kudos
8 Replies
Admin
Admin

Re: SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

Just to clarify your question:

  • You have a snort rule you've created that matches traffic
  • Based on this rule triggering, you want to automatically block IP using fw sam/fw samp or similar

Correct?

0 Kudos

Re: SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

Hi Dameon!

First of all thank you for your reply.

And that's that, I want it to automatically block the IP.

Thank you.

0 Kudos
Admin
Admin

Re: SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

I will check with R&D, but I do not believe this is possible out of the box.

It may be possible by monitoring logs and using that to trigger an fw sam/fw samp command to issue a block.

0 Kudos
Blason_R
Silver

Re: SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

Hey,

Would you mind share that snort rule with me? Let me try with some bash script and see if that works.

0 Kudos
Admin
Admin

Re: SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

0 Kudos
Sven_Glock
Silver

Re: SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

Does some one know if customer rules (for example based on Snort) will be possible out of the box in the future?

0 Kudos
Admin
Admin

Re: SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

It can already be done as far as I know.

The above screenshot is individual to a specific protection.

0 Kudos
Sven_Glock
Silver

Re: SNORT Rules and Checkpoint R77.30 IPS

Jump to solution

Dameon, you are right. Here is the relevant chapter in the admin guide:

Configuring Specific Protections