This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Borralho1
Explorer
‎2017-04-24 03:49 AM
Jump to solution

SNORT Rules and Checkpoint R77.30 IPS

Hello guys!

I prepared a SNORT rule to drop DoS tools patterns like traffic, the rule is working fine, can you tell after how much time will the FW send the IP's attacking the network after matching the rule?

Or is there a way to put in the snort rule a way like send to sam or not?

Because I know that for snort there is snortsam a plugin for snort:

SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on following firewalls:

  • Checkpoint Firewall-1
  • Cisco PIX firewalls
  • Cisco Routers (using ACL's or Null-Routes)
  • Former Netscreen, now Juniper firewalls
  • IP Filter (ipf), available for various Unix-like OS'es such as FreeBSD?
  • FreeBSD?'s ipfw2 (in 5.x)
  • OpenBSD?'s Packet Filter (pf)
  • Linux IPchains
  • Linux IPtables
  • Linux EBtables
  • WatchGuard? Firebox firewalls
  • 8signs firewalls for Windows
  • MS ISA Server firewall/proxy for Windows
  • CHX packet filter
  • Ali Basel's Tracker SNMP through the SNMP-Interface-down plugin
  • ...and more to come...

Is there any kind of plugin or feature for the R77.30 FW/IPS?

Thank you vey much in advance.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2017-04-29 11:09 AM
In response to Blason_R
Jump to solution

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2017-04-24 05:41 AM
Jump to solution

Just to clarify your question:

  • You have a snort rule you've created that matches traffic
  • Based on this rule triggering, you want to automatically block IP using fw sam/fw samp or similar

Correct?

0 Kudos
Luis_Borralho1
Explorer
‎2017-04-24 06:56 AM
In response to PhoneBoy
Jump to solution

Hi Dameon!

First of all thank you for your reply.

And that's that, I want it to automatically block the IP.

Thank you.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-04-25 01:55 PM
In response to Luis_Borralho1
Jump to solution

I will check with R&D, but I do not believe this is possible out of the box.

It may be possible by monitoring logs and using that to trigger an fw sam/fw samp command to issue a block.

0 Kudos
Blason_R
Leader
Leader
‎2017-04-28 09:09 PM
In response to Luis_Borralho1
Jump to solution

Hey,

Would you mind share that snort rule with me? Let me try with some bash script and see if that works.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
‎2017-04-29 11:09 AM
In response to Blason_R
Jump to solution

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

0 Kudos
Sven_Glock
Advisor
‎2017-07-21 03:39 AM
Jump to solution

Does some one know if customer rules (for example based on Snort) will be possible out of the box in the future?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-07-21 07:51 AM
In response to Sven_Glock
Jump to solution

It can already be done as far as I know.

The above screenshot is individual to a specific protection.

0 Kudos
Sven_Glock
Advisor
‎2017-07-24 03:14 AM
In response to Sven_Glock
Jump to solution

Dameon, you are right. Here is the relevant chapter in the admin guide:

Configuring Specific Protections 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top