Re: IPS/AV signature release notes or full list

jdoe1979 · ‎2023-04-14

Hi all,

Are there any release notes for Threat updates for Quantum?
I need to have accounting visibility into signatures by severity, introduction date and type (AV/IPS) + overall signature count change between update releases as part of the project.
So far I could see there's some filtering on https://threatwiki.checkpoint.com/threatwiki/public.htm

but lacking in filtering options I need. Is there an option to escort the entire Threat DB into CVS somehow?

PhoneBoy · ‎2023-04-14

We have a mailing list that provides updates when IPS protections are updated.
Subscribe here: https://advisories.checkpoint.com/security-advisories-subscription/

You can get the entire list of protections via the Management API.
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-threat-protections~v1.9%20

Note that due to the number of results returned (several thousand), this will require multiple API calls using the offset parameter to return the next 50 results.
Using mgmt_cli and jq, it should be possible to turn this into a CSV file.

jdoe1979 · ‎2023-04-14

Understood.
Will CSV have all the selectors around type, date of incept, description?

PhoneBoy · ‎2023-04-14

It's easy enough to check: mgmt_cli -r true show threat-protections details-level "full" --format json | jq '.'

  "protections": [
    {
      "uid": "9118d0c5-83d8-42eb-807c-5c2ab3304f3e",
      "name": "29o3 CMS Remote Code Execution (CVE-2010-1922)",
      "type": "threat-protection",
      "domain": {
        "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
        "name": "SMC User",
        "domain-type": "domain"
      },
      "severity": "High",
      "confidence-level": "Medium",
      "performance-impact": "Medium",
      "release-date": "20201028",
      "update-date": "20201028",
      "comments": "",
      "protection-type": "Threat Cloud",
      "follow-up": false,
      "industry-reference": [
        "CVE-2010-1922"
      ]
    },

jdoe1979 · ‎2023-04-15

hm, I'm getting an error despite API status being fine (see below)

I was able to connect via Postman, but looks like this only covers IPS signatures and no visibility into AV.
I'd like it to filter on protection-type for AV, but not sure what the syntax is for AV.

MGR> mgmt_cli -r true show threat-protections details-level "full" --format json | jq '.' --port 4434

MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"

MGR> api status

API Settings:

---------------------

Accessibility: Require all granted

Automatic Start: Enabled

Processes:

Name State PID More Information

-------------------------------------------------

API Started 26850

CPM Started 26850 Check Point Security Management Server is running and ready

FWM Started 26335

APACHE Started 9941

Port Details:

-------------------

JETTY Internal Port: 54595

JETTY Documentation Internal Port: 58272

APACHE Gaia Port: 4434 (a non-default port)

When running mgmt_cli commands add '--port 4434'

When using web-services, add port 4434 to the URL

Profile:

-------------------

Machine profile: Large env resources profile with SME or Dedicated Log Server

CPM heap size: 1280m

Apache port retrieved from: httpd-ssl.conf

--------------------------------------------

Overall API Status: Started

--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:

------------

To collect troubleshooting data, please run 'api status -s <comment>'

PhoneBoy · ‎2023-04-17

The command string I provided only works in Expert mode.
clish commands don't support piping to other commands, nor does mgmt (the clish equivalent of mgmt_cli) support the -r true flag.

My understanding is threat-protections should include protections from other blades (not just IPS).
However, a lot of AV/AB protections are handled in ThreatCloud and won't appear in the API output.

Are you a member of CheckMates?

IPS/AV signature release notes or full list