Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AngeloP
Participant
Jump to solution

Controlling severity of IPS Snort Rules

Hi,

 

is it possible to control the severity of snort rules imported into CheckPoint Threat Preventions? For example using priority keyword or by category, or is it always severity:High for snort rules in checkpoint?

 

Thank you

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Your question was answered in my IPS/AV/ABOT Immersion video series; the answer is yes you can change them but it requires the use of GUIDBedit, and future SNORT import operations for the same signature will set the three rating criteria back to their default values.  You really should be using the newer Custom Threat Indicators feature instead which is much more flexible and easy to work with.

snort1.pngsnort2.pngsnort3.png

 

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

3 Replies
G_W_Albrecht
Legend
Legend
  1. Snort Protection names are Snort imported: <value of the ‘msg’ field in the original SNORT rule>. See Creating SNORT Rule Files.
  2. Snort Protections get these attributes automatically:
    • Performance Impact - High
    • Severity - High
    • Confidence Level - Low or Medium

(https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ThreatPrevention_AdminGuide...

 

CCSE CCTE CCSM SMB Specialist
AngeloP
Participant

Thank you, so basically there's absolutely no way you can control severity of any protections in checkpoint smartdefense? That's a useful feature if say you have a rule in your SIEM to generate offenses above severity 2 or 3 based on threat prevention logs from checkpoint, and use a lower severity for testing signatures and not generate SIEM offenses. Or even change a specific Checkpoint signature to lower severity, to not have it generate offenses but still keep the logs. The flexibility just keeps being underwhelming, i keep hearing "no you can't do that here" at everything i ask.

0 Kudos
Timothy_Hall
Champion
Champion

Your question was answered in my IPS/AV/ABOT Immersion video series; the answer is yes you can change them but it requires the use of GUIDBedit, and future SNORT import operations for the same signature will set the three rating criteria back to their default values.  You really should be using the newer Custom Threat Indicators feature instead which is much more flexible and easy to work with.

snort1.pngsnort2.pngsnort3.png

 

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events