This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AngeloP
Participant
‎2022-04-04 03:01 AM

Controlling severity of IPS Snort Rules

Jump to solution

Hi,

 

is it possible to control the severity of snort rules imported into CheckPoint Threat Preventions? For example using priority keyword or by category, or is it always severity:High for snort rules in checkpoint?

 

Thank you

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion
‎2022-04-04 07:40 AM

Jump to solution

Your question was answered in my IPS/AV/ABOT Immersion video series; the answer is yes you can change them but it requires the use of GUIDBedit, and future SNORT import operations for the same signature will set the three rating criteria back to their default values.  You really should be using the newer Custom Threat Indicators feature instead which is much more flexible and easy to work with.

snort1.pngsnort2.pngsnort3.png

 

 

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

3 Replies
G_W_Albrecht
Legend
Legend
‎2022-04-04 04:39 AM

Jump to solution
  1. Snort Protection names are Snort imported: <value of the ‘msg’ field in the original SNORT rule>. See Creating SNORT Rule Files.
  2. Snort Protections get these attributes automatically:
    • Performance Impact - High
    • Severity - High
    • Confidence Level - Low or Medium

(https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ThreatPrevention_AdminGuide...

 

CCSE CCTE SMB Specialist
AngeloP
Participant
‎2022-04-04 06:02 AM
In response to G_W_Albrecht

Jump to solution

Thank you, so basically there's absolutely no way you can control severity of any protections in checkpoint smartdefense? That's a useful feature if say you have a rule in your SIEM to generate offenses above severity 2 or 3 based on threat prevention logs from checkpoint, and use a lower severity for testing signatures and not generate SIEM offenses. Or even change a specific Checkpoint signature to lower severity, to not have it generate offenses but still keep the logs. The flexibility just keeps being underwhelming, i keep hearing "no you can't do that here" at everything i ask.

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-04-04 07:40 AM

Jump to solution

Your question was answered in my IPS/AV/ABOT Immersion video series; the answer is yes you can change them but it requires the use of GUIDBedit, and future SNORT import operations for the same signature will set the three rating criteria back to their default values.  You really should be using the newer Custom Threat Indicators feature instead which is much more flexible and easy to work with.

snort1.pngsnort2.pngsnort3.png

 

 

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com