This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Happy__
Collaborator
‎2019-11-24 11:25 PM

Custom Application by wireshark raws data pattern?

Hi team,

I try to create a custom signature with Wireshark raw data pattern, but it's not working.

Scenario:-I have an FTP server and I  download two files from the FTP server and capture this in Wireshark and create a signature with one file raw data. I want when next time when I download the same file from the FTP server it should be blocked by my custom signature.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-11-25 08:13 PM

Maybe just create a file hash IOC using the AV blade instead?
0 Kudos
Happy__
Collaborator
‎2019-11-25 11:49 PM
In response to PhoneBoy

Yup, I know we can do with AV & IPS, but the requirement is to do with the application signature tool. 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2019-11-26 12:18 AM

Wrong tool:

Signature Tool for Application and URL Filtering Administration Guide | 5 Introduction

Check Point Signature Tool lets you create Application and URL Filtering for your own or third-party applications. This tool expands your local Application and URL Filtering Database for applications and URLs that you add. Application and URL Filtering detects and enforces your policies on added signatures as with Check Point defined signatures.

For preventing downloads we use AV.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Happy__
Collaborator
‎2019-11-26 12:26 AM
In response to G_W_Albrecht

In the application signature tool, there is an option that we can create a signature with raw data. So I was just trying to block a specific file with the file raw data.

 

 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2019-11-26 07:01 AM
In response to Happy__

That imho is a misunderstanding - APCL and URLF deal with URLs and Applications that communicate using the internet. What you want to achieve is to prevent downloading malware, a job done by AV and TE / TX. Custom Applications get defined to enable, disable or limit their internet traffic in APCL rulebase.

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events