Solved: SNORT Rules and Checkpoint R77.30 IPS

Luis_Borralho1 · ‎2017-04-24

Hello guys!

I prepared a SNORT rule to drop DoS tools patterns like traffic, the rule is working fine, can you tell after how much time will the FW send the IP's attacking the network after matching the rule?

Or is there a way to put in the snort rule a way like send to sam or not?

Because I know that for snort there is snortsam a plugin for snort:

SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on following firewalls:

Checkpoint Firewall-1
Cisco PIX firewalls
Cisco Routers (using ACL's or Null-Routes)
Former Netscreen, now Juniper firewalls
IP Filter (ipf), available for various Unix-like OS'es such as FreeBSD?
FreeBSD?'s ipfw2 (in 5.x)
OpenBSD?'s Packet Filter (pf)
Linux IPchains
Linux IPtables
Linux EBtables
WatchGuard? Firebox firewalls
8signs firewalls for Windows
MS ISA Server firewall/proxy for Windows
CHX packet filter
Ali Basel's Tracker SNMP through the SNMP-Interface-down plugin
...and more to come...

Is there any kind of plugin or feature for the R77.30 FW/IPS?

Thank you vey much in advance.

PhoneBoy · ‎2017-04-29

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

View solution in original post

PhoneBoy · ‎2017-04-24

Just to clarify your question:

You have a snort rule you've created that matches traffic
Based on this rule triggering, you want to automatically block IP using fw sam/fw samp or similar

Correct?

Luis_Borralho1 · ‎2017-04-24

Hi Dameon!

First of all thank you for your reply.

And that's that, I want it to automatically block the IP.

Thank you.

PhoneBoy · ‎2017-04-25

I will check with R&D, but I do not believe this is possible out of the box.

It may be possible by monitoring logs and using that to trigger an fw sam/fw samp command to issue a block.

Blason_R · ‎2017-04-28

Hey,

Would you mind share that snort rule with me? Let me try with some bash script and see if that works.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

PhoneBoy · ‎2017-04-29

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

Sven_Glock · ‎2017-07-21

Does some one know if customer rules (for example based on Snort) will be possible out of the box in the future?

PhoneBoy · ‎2017-07-21

It can already be done as far as I know.

The above screenshot is individual to a specific protection.

Sven_Glock · ‎2017-07-24

Dameon, you are right. Here is the relevant chapter in the admin guide:

Configuring Specific Protections

Are you a member of CheckMates?

SNORT Rules and Checkpoint R77.30 IPS

SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on following firewalls: