This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jdoe1979
Contributor
‎2023-04-14 08:07 AM

IPS/AV signature release notes or full list

Hi all,

Are there any release notes for Threat updates for Quantum?
I need to have accounting visibility into signatures by severity, introduction date and type (AV/IPS) + overall signature count change between update releases as part of the project.
So far I could see there's some filtering on https://threatwiki.checkpoint.com/threatwiki/public.htm

but lacking in filtering options I need. Is there an option to escort the entire Threat DB into CVS somehow?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-04-14 08:33 AM

We have a mailing list that provides updates when IPS protections are updated.
Subscribe here: https://advisories.checkpoint.com/security-advisories-subscription/ 

You can get the entire list of protections via the Management API. 
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-threat-protections~v1.9%20

Note that due to the number of results returned (several thousand), this will require multiple API calls using the offset parameter to return the next 50 results.
Using mgmt_cli and jq, it should be possible to turn this into a CSV file.

0 Kudos
jdoe1979
Contributor
‎2023-04-14 09:36 AM
In response to PhoneBoy

Understood.
Will CSV have all the selectors around type, date of incept, description?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-14 10:28 AM
In response to jdoe1979

It's easy enough to check: mgmt_cli -r true show threat-protections details-level "full" --format json | jq '.'

  "protections": [
    {
      "uid": "9118d0c5-83d8-42eb-807c-5c2ab3304f3e",
      "name": "29o3 CMS Remote Code Execution (CVE-2010-1922)",
      "type": "threat-protection",
      "domain": {
        "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
        "name": "SMC User",
        "domain-type": "domain"
      },
      "severity": "High",
      "confidence-level": "Medium",
      "performance-impact": "Medium",
      "release-date": "20201028",
      "update-date": "20201028",
      "comments": "",
      "protection-type": "Threat Cloud",
      "follow-up": false,
      "industry-reference": [
        "CVE-2010-1922"
      ]
    },

 

jdoe1979
Contributor
‎2023-04-15 01:59 PM
In response to PhoneBoy

hm, I'm getting an error despite API status being fine (see below)

I was able to connect via Postman, but looks like this only covers IPS signatures and no visibility into AV.
I'd like it to filter on protection-type for AV, but not sure what the syntax is for AV.

MGR> mgmt_cli -r true show threat-protections details-level "full" --format json | jq '.' --port 4434

  MGMT9205  You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"

MGR> api status

 

API Settings:

---------------------

Accessibility:                      Require all granted

Automatic Start:                    Enabled

 

Processes:

 

Name      State     PID       More Information

-------------------------------------------------

API       Started   26850     

CPM       Started   26850     Check Point Security Management Server is running and ready

FWM       Started   26335     

APACHE    Started   9941      

 

Port Details:

-------------------

JETTY Internal Port:               54595

JETTY Documentation Internal Port: 58272

APACHE Gaia Port:                  4434 (a non-default port)

                                   When running mgmt_cli commands add '--port 4434'

                                   When using web-services, add port 4434 to the URL

 

Profile:

-------------------

Machine profile:                   Large env resources profile with SME or Dedicated Log Server

CPM heap size:                     1280m

 

                          Apache port retrieved from: httpd-ssl.conf

 

 

--------------------------------------------

Overall API Status: Started

--------------------------------------------

 

API readiness test SUCCESSFUL. The server is up and ready to receive connections

 

Notes:

------------

To collect troubleshooting data, please run 'api status -s <comment>'

0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-17 09:59 AM
In response to jdoe1979

The command string I provided only works in Expert mode.
clish commands don't support piping to other commands, nor does mgmt (the clish equivalent of mgmt_cli) support the -r true flag.

My understanding is threat-protections should include protections from other blades (not just IPS).
However, a lot of AV/AB protections are handled in ThreatCloud and won't appear in the API output.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events