Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Borralho1
Explorer
Jump to solution

SNORT Rules and Checkpoint R77.30 IPS

Hello guys!

I prepared a SNORT rule to drop DoS tools patterns like traffic, the rule is working fine, can you tell after how much time will the FW send the IP's attacking the network after matching the rule?

Or is there a way to put in the snort rule a way like send to sam or not?

Because I know that for snort there is snortsam a plugin for snort:

SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on following firewalls:

  • Checkpoint Firewall-1
  • Cisco PIX firewalls
  • Cisco Routers (using ACL's or Null-Routes)
  • Former Netscreen, now Juniper firewalls
  • IP Filter (ipf), available for various Unix-like OS'es such as FreeBSD?
  • FreeBSD?'s ipfw2 (in 5.x)
  • OpenBSD?'s Packet Filter (pf)
  • Linux IPchains
  • Linux IPtables
  • Linux EBtables
  • WatchGuard? Firebox firewalls
  • 8signs firewalls for Windows
  • MS ISA Server firewall/proxy for Windows
  • CHX packet filter
  • Ali Basel's Tracker SNMP through the SNMP-Interface-down plugin
  • ...and more to come...

Is there any kind of plugin or feature for the R77.30 FW/IPS?

Thank you vey much in advance.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Just to clarify your question:

  • You have a snort rule you've created that matches traffic
  • Based on this rule triggering, you want to automatically block IP using fw sam/fw samp or similar

Correct?

0 Kudos
Luis_Borralho1
Explorer

Hi Dameon!

First of all thank you for your reply.

And that's that, I want it to automatically block the IP.

Thank you.

0 Kudos
PhoneBoy
Admin
Admin

I will check with R&D, but I do not believe this is possible out of the box.

It may be possible by monitoring logs and using that to trigger an fw sam/fw samp command to issue a block.

0 Kudos
Blason_R
Leader
Leader

Hey,

Would you mind share that snort rule with me? Let me try with some bash script and see if that works.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin

You should be able to use one of the User Defined log settings for the protection to trigger a script to do whatever you want.

See the screenshot below.

0 Kudos
Sven_Glock
Advisor

Does some one know if customer rules (for example based on Snort) will be possible out of the box in the future?

0 Kudos
PhoneBoy
Admin
Admin

It can already be done as far as I know.

The above screenshot is individual to a specific protection.

0 Kudos
Sven_Glock
Advisor

Dameon, you are right. Here is the relevant chapter in the admin guide:

Configuring Specific Protections 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events