This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AngeloP
Participant
‎2022-04-04 03:01 AM
Jump to solution

Controlling severity of IPS Snort Rules

Hi,

 

is it possible to control the severity of snort rules imported into CheckPoint Threat Preventions? For example using priority keyword or by category, or is it always severity:High for snort rules in checkpoint?

 

Thank you

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2022-04-04 07:40 AM
Jump to solution

Your question was answered in my IPS/AV/ABOT Immersion video series; the answer is yes you can change them but it requires the use of GUIDBedit, and future SNORT import operations for the same signature will set the three rating criteria back to their default values.  You really should be using the newer Custom Threat Indicators feature instead which is much more flexible and easy to work with.

snort1.pngsnort2.pngsnort3.png

 

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-04-04 04:39 AM
Jump to solution

  1. Snort Protection names are Snort imported: <value of the ‘msg’ field in the original SNORT rule>. See Creating SNORT Rule Files.
  2. Snort Protections get these attributes automatically:
    • Performance Impact - High
    • Severity - High
    • Confidence Level - Low or Medium

(https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ThreatPrevention_AdminGuide...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
AngeloP
Participant
‎2022-04-04 06:02 AM
In response to G_W_Albrecht
Jump to solution

Thank you, so basically there's absolutely no way you can control severity of any protections in checkpoint smartdefense? That's a useful feature if say you have a rule in your SIEM to generate offenses above severity 2 or 3 based on threat prevention logs from checkpoint, and use a lower severity for testing signatures and not generate SIEM offenses. Or even change a specific Checkpoint signature to lower severity, to not have it generate offenses but still keep the logs. The flexibility just keeps being underwhelming, i keep hearing "no you can't do that here" at everything i ask.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-04-04 07:40 AM
Jump to solution

Your question was answered in my IPS/AV/ABOT Immersion video series; the answer is yes you can change them but it requires the use of GUIDBedit, and future SNORT import operations for the same signature will set the three rating criteria back to their default values.  You really should be using the newer Custom Threat Indicators feature instead which is much more flexible and easy to work with.

snort1.pngsnort2.pngsnort3.png

 

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events