Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marc_Lampo
Contributor

identify IPS signature from within user alert script

Hello,

for customers that ask us for more proactive support and action against DDOS threats, we developed a script that can be called as "user alert".  It can be added as extra action to IPS signatures that seem to be heavily and intensely exploited.  Goal is to automatically block - SAM - violating IP addresses.

There are, however, only 3 user alert scripts possible.  Consequently the script must identify the reason for being called from the data it gets (over stdin).

So far no problem.

We already "discovered" that IPS protections of type "Core" identify themselves via the "Protection Name".

Others - not of type "Core" - via the "malware_rule_id".

 

However, I noticed now that the "malware_rule_id" seems to change, over time, for the same IPS Protection !?

Eg.:

$1 == " malware_rule_id" && $2 == " {862F2AE7-6B00-4B4D-8E08-ADAA90FEB234}" {
..
}
$1 == " malware_rule_id" && $2 == " {495C899C-F1B7-474D-B703-AF07BFF13A85}" {

--> *both* malware_rule_id values are actually the same "Command Injection over HTTP" IPS signature

 

This is very annoying, at least.

First, I'd prefer the non Core protections to identify themselves in a somewhat more readable way - like the "Protection Name" - a field which is totally missing for them.

And secondly, that the identifier stays the same, over time, because the script cannot adjust automatically.

(short of parsing the resource again, and trying to figure out if it is command injection over HTTP or SQL injection)

 

Kind regards,

 

Marc

2 Replies
G_W_Albrecht
Legend Legend
Legend

You could read out the details from the updated IPS SQL database - or make a RFE: http://www.checkpoint.com/rfe/rfe.htm

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

I’m guessing the UID shown is a specific signature.
A particular protection can have multiple signatures associated with it.
You might be able to look up the UID by using the show-object API, though the two examples provided were not found.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events