Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Champion
Champion

SNORT vs. Custom Threat Indicators

Check Point has had the ability to import SNORT signatures for some time, and relatively recently added the ability to create Custom Threat Indicators (CTIs).  These seem to be two fairly similar functions, so my questions commence:

1) Is one preferred over the other?  The information for SNORT seems to have disappeared out of the official documentation guides starting in R80.20, which coincidentally seems to be about when CTIs were added.  Is SNORT support on the way out in favor of CTIs?

2) Any time a new SNORT signature or CTI is added/modified/deleted, the immediately following Threat Prevention policy install to the gateway takes a REALLY long time.  As in a normal TP policy install takes 15 seconds, but it now takes 3-4 minutes after changing one of these features (policy install time does go back to normal for subsequent operations).  Why is this?  Is it having to recompile some kind of pattern matching database for TP to integrate the changes?

3) And the elephant in the room of course: gateway performance.  SNORT signatures are assigned a default Performance Impact of "High" which normally indicates about 50% handling in the Medium Path and about 50% handling in the undesirable F2F/slowpath.  CTIs don't seem to have a Performance Impact rating at all, at least that I can find.  While I would imagine neither SNORT nor CTIs can be handled in the fully-accelerated path by SecureXL (which is fine), which paths does traffic subject to SNORT/CTIs protections typically end up in?  PXL? CPAS? F2F?  Can CTIs be handled by the gateway more efficiently than SNORT signatures which would make them preferable from a gateway performance perspective?

Tagging @PhoneBoy 

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
3 Replies
PhoneBoy
Admin
Admin

As far as I know, we are not deprecating support for SNORT.
I presume we are having to convert the SNORT signature to cpcode, which is what the added policy compilation time is.

Custom Threat Indicators/ioc_feeds leverage the existing capabilities in Anti-Virus and Anti-Bot, which means they have a similar performance impact to that.
Personally, if your goal is to block something that can be expressed as an IP or URL, I recommend using that over a SNORT signature.

Since it's impossible to know what the precise impact of a SNORT signature is beforehand, we mark the performance impact of all SNORT signatures as High.
It may be that some are actually low/medium performance impact.

Cyber_Serge
Collaborator

I know for snort rules, we always should look into tweaking and narrow the source/destination to reduce performance impact; do we have to do that for CTI?

0 Kudos
PhoneBoy
Admin
Admin

I don't believe so.
CTIs are destinations for the most part.
In R81+, IPs are also treated as sources. 

0 Kudos