CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 5 of 5

Thread: Why SnortConverter is failing or unable to generate simple rule like this?

  1. #1
    Join Date
    2012-06-13
    Posts
    299
    Rep Power
    6

    Default Why SnortConverter is failing or unable to generate simple rule like this?

    Hi Guys,

    Is anyone SnortCoverter expert here? I am trying to export a Snort rules using SnortConverter, couple of other rules are getting exported correctly but not sure what is this cribbing about?

    This is failing
    alert udp any any -> 104.199.121.36 any (msg:"ET CNC Shadowserver Reported CnC Server UDP group 2";)

    0/1 rules were successfully converted, total of 0 IPS protections were found.
    For more details please see $FWDIR/log/SnortConvertor.elg file.
    The configuration is up to date, therefore no changes were made.

    ##################

    And this is successful

    [Expert@GPMGMT:0]# SnortConvertor update -f test2.rules
    1/1 rules were successfully converted, total of 1 IPS protections were found.
    1/1 IPS protections were updated
    Updating database...

    alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)

  2. #2
    Join Date
    2012-06-13
    Posts
    299
    Rep Power
    6

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    Well I feel it doesn't like IP address mentioned in the signature..Any idea how to override that?

  3. #3
    Join Date
    2012-06-13
    Posts
    299
    Rep Power
    6

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    OK - I figured it out the issue and able to import the rule :)

    CP does not like the Snort rule without content keyword, I added that it got imported perfectly!

  4. #4
    Join Date
    2008-01-25
    Location
    Karlsruhe / Germany
    Posts
    15
    Rep Power
    0

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    Hi Blason,

    I have the same problem you had.
    Is there any relevant need of the content option which CP tries to enforce?
    Do I have specific content options or can I just add what I like to add?
    I tried quotes without contents. This caused a coredump :D

    Thanks in advance.

    BR
    Sven

  5. #5
    Join Date
    2008-01-25
    Location
    Karlsruhe / Germany
    Posts
    15
    Rep Power
    0

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    I have to add that I wanted to add a rule that works like a blacklist without triggering specific content.

Similar Threads

  1. Unable to fetch Suspicious Activity Rule
    By cp-eng in forum SmartView Monitor
    Replies: 0
    Last Post: 2012-09-26, 10:18
  2. Firewall log can't generate
    By akyawmaung in forum SmartView Monitor
    Replies: 1
    Last Post: 2008-12-23, 23:02
  3. Unable to generate Express reports
    By Infospark in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 3
    Last Post: 2008-11-03, 12:00
  4. Generate CA certificate problem
    By Brian Kwok in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2006-11-21, 02:22
  5. Checkpoint logging causes EventiaReporter unable to generate report
    By fazrul in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 0
    Last Post: 2006-10-01, 01:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •