This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marc_Lampo
Contributor
‎2020-01-28 12:25 AM

identify IPS signature from within user alert script

Hello,

for customers that ask us for more proactive support and action against DDOS threats, we developed a script that can be called as "user alert".  It can be added as extra action to IPS signatures that seem to be heavily and intensely exploited.  Goal is to automatically block - SAM - violating IP addresses.

There are, however, only 3 user alert scripts possible.  Consequently the script must identify the reason for being called from the data it gets (over stdin).

So far no problem.

We already "discovered" that IPS protections of type "Core" identify themselves via the "Protection Name".

Others - not of type "Core" - via the "malware_rule_id".

 

However, I noticed now that the "malware_rule_id" seems to change, over time, for the same IPS Protection !?

Eg.:

$1 == " malware_rule_id" && $2 == " {862F2AE7-6B00-4B4D-8E08-ADAA90FEB234}" {
..
}
$1 == " malware_rule_id" && $2 == " {495C899C-F1B7-474D-B703-AF07BFF13A85}" {

--> *both* malware_rule_id values are actually the same "Command Injection over HTTP" IPS signature

 

This is very annoying, at least.

First, I'd prefer the non Core protections to identify themselves in a somewhat more readable way - like the "Protection Name" - a field which is totally missing for them.

And secondly, that the identifier stays the same, over time, because the script cannot adjust automatically.

(short of parsing the resource again, and trying to figure out if it is command injection over HTTP or SQL injection)

 

Kind regards,

 

Marc

2 Replies
G_W_Albrecht
Legend
Legend
‎2020-01-28 01:50 AM

You could read out the details from the updated IPS SQL database - or make a RFE: http://www.checkpoint.com/rfe/rfe.htm

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-30 03:09 PM

I’m guessing the UID shown is a specific signature.
A particular protection can have multiple signatures associated with it.
You might be able to look up the UID by using the show-object API, though the two examples provided were not found.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events