Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jdoe1979
Contributor

IPS/AV signature release notes or full list

Hi all,

Are there any release notes for Threat updates for Quantum?
I need to have accounting visibility into signatures by severity, introduction date and type (AV/IPS) + overall signature count change between update releases as part of the project.
So far I could see there's some filtering on https://threatwiki.checkpoint.com/threatwiki/public.htm

but lacking in filtering options I need. Is there an option to escort the entire Threat DB into CVS somehow?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

We have a mailing list that provides updates when IPS protections are updated.
Subscribe here: https://advisories.checkpoint.com/security-advisories-subscription/ 

You can get the entire list of protections via the Management API. 
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-threat-protections~v1.9%20

Note that due to the number of results returned (several thousand), this will require multiple API calls using the offset parameter to return the next 50 results.
Using mgmt_cli and jq, it should be possible to turn this into a CSV file.

0 Kudos
jdoe1979
Contributor

Understood.
Will CSV have all the selectors around type, date of incept, description?

0 Kudos
PhoneBoy
Admin
Admin

It's easy enough to check: mgmt_cli -r true show threat-protections details-level "full" --format json | jq '.'

  "protections": [
    {
      "uid": "9118d0c5-83d8-42eb-807c-5c2ab3304f3e",
      "name": "29o3 CMS Remote Code Execution (CVE-2010-1922)",
      "type": "threat-protection",
      "domain": {
        "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
        "name": "SMC User",
        "domain-type": "domain"
      },
      "severity": "High",
      "confidence-level": "Medium",
      "performance-impact": "Medium",
      "release-date": "20201028",
      "update-date": "20201028",
      "comments": "",
      "protection-type": "Threat Cloud",
      "follow-up": false,
      "industry-reference": [
        "CVE-2010-1922"
      ]
    },

 

jdoe1979
Contributor

hm, I'm getting an error despite API status being fine (see below)

I was able to connect via Postman, but looks like this only covers IPS signatures and no visibility into AV.
I'd like it to filter on protection-type for AV, but not sure what the syntax is for AV.

MGR> mgmt_cli -r true show threat-protections details-level "full" --format json | jq '.' --port 4434

  MGMT9205  You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"

MGR> api status

 

API Settings:

---------------------

Accessibility:                      Require all granted

Automatic Start:                    Enabled

 

Processes:

 

Name      State     PID       More Information

-------------------------------------------------

API       Started   26850     

CPM       Started   26850     Check Point Security Management Server is running and ready

FWM       Started   26335     

APACHE    Started   9941      

 

Port Details:

-------------------

JETTY Internal Port:               54595

JETTY Documentation Internal Port: 58272

APACHE Gaia Port:                  4434 (a non-default port)

                                   When running mgmt_cli commands add '--port 4434'

                                   When using web-services, add port 4434 to the URL

 

Profile:

-------------------

Machine profile:                   Large env resources profile with SME or Dedicated Log Server

CPM heap size:                     1280m

 

                          Apache port retrieved from: httpd-ssl.conf

 

 

--------------------------------------------

Overall API Status: Started

--------------------------------------------

 

API readiness test SUCCESSFUL. The server is up and ready to receive connections

 

Notes:

------------

To collect troubleshooting data, please run 'api status -s <comment>'

0 Kudos
PhoneBoy
Admin
Admin

The command string I provided only works in Expert mode.
clish commands don't support piping to other commands, nor does mgmt (the clish equivalent of mgmt_cli) support the -r true flag.

My understanding is threat-protections should include protections from other blades (not just IPS).
However, a lot of AV/AB protections are handled in ThreatCloud and won't appear in the API output.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events