Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeff_St_John
Participant

sam_alert to sam_alert -v2 or fw_samp help

I have been using the UserDefined alert option (sam_alert) described in "sk110873 How to configure Security Gateway to detect and prevent port scan" to block port scans but I discovered that the IPS blade exceptions do not apply since the process for blocking is based on the Monitor mode alert and the exception is not preventing the Monitor alert from triggering.

Anyway I am blocking our external legitimate scans.

Running R77.30 on majority of HW but moving to R80.10 for new installs and will upgrade all be mid-year.

I have also been using the "fw sam" option manually to block IPs detected in other tools.

I am looking to switch the manual blocks to the automated version described in  sk103154 - How to block traffic coming from known malicious IP addresses but I also want to migrate the port scan blocks to an "fw samp" version since I can build in an exception set of IP address that will override the "fw samp" blocks.

Once fully on R80.10, I will probably move to the Dynamic Object version listed somewhere on Check Mates.

Now for an actual questions:

I wanted to know if anyone has used the  "sam_alert" with the  "-v2" options set and gotten it to work?

Looking at the "sam_alert.elg" log, I discovered that the "sam_alert -v2" options actually issue a "fw samp" command instead of the "fw sam" command.

Unfortunately the "fw samp" command gets created and appears to execute but no change is made in the actual security gateways "fw samp" data.

Example (names and IPs obfuscated):

[sam_alert 31166 4141030208]@FWMGMT01[4 May 18:54:56][main] action_v2; log = ( 4May2018 18:54:54 accept FW001   >eth1 useralert2 inzone:External;outzone:Local;rule:41;rule_uid:{FFFFFF-FFFFFF-49EF-9BC7-FFFFFFF};service_id:icmp-proto;ICMP:Echo Request;src:99.99.999.999;dst:FW001;proto:icmp;ICMP Type:8;ICMP Code:0;product:VPN-1 & FireWall-1;product_family:Network)
[sam_alert 31166 4141030208]@FWMGMT01[4 May 18:54:56][main] sam_server (FW001)

[sam_alert 31166 4141030208]@FWMGMT01[4 May 18:54:56][main] The command line is /opt/CPsuite-R77/fw1/bin/fw samp add -t 3600 -f 10.10.10.10 -a d -l r -o sam_alert ip -C

[sam_alert 31166 4141030208]@fFWMGMT01[4 May 18:54:56][main] The command is /opt/CPsuite-R77/fw1/bin/fw samp add -t 3600 -f 10.54.74.52 -a d -l r -o sam_alert ip -C -s 99.99.999.999

Secondarily,  how the heck do I pass a parameter to a user defined script once an alert is triggered?

None of the options used for the CP created sam_alert or internal_mail actually reach a shell script I created.

I was looking to create a user defined script to execute an "fw samp" but could not figure out how to pass parameters in the UserDefined alert from SmartMonitor.

Yes I have opened a ticket for both questions but did not receive a useful response.

1 Reply
Jeff_St_John
Participant

Well looks like I figured out the first part ... been working on this off and on for a year. Support could not figure it out but they did make a comment that the order mattered and they got it to work one time. The did not imply it was a "fw samp" process however.

I was using:

sam_alert -v2 -f FW001 -t 9600 -n HostScan -c PortScan -l r -a d -C -ip -src

sam_alert -v2 needs the -S option even though the CLI help implies it is optional and read like there is a needed parameter after the -S (there is not)

sam_alert -v2 -S -f FW001 -t 9600 -n HostScan -c PortScan -l r -a d -C -ip -src

Still validating the exclusion of an IP works in "fw samp"

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events