CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 5 of 5

Thread: Why SnortConverter is failing or unable to generate simple rule like this?

  1. #1
    Join Date
    2012-06-13
    Posts
    302
    Rep Power
    6

    Default Why SnortConverter is failing or unable to generate simple rule like this?

    Hi Guys,

    Is anyone SnortCoverter expert here? I am trying to export a Snort rules using SnortConverter, couple of other rules are getting exported correctly but not sure what is this cribbing about?

    This is failing
    alert udp any any -> 104.199.121.36 any (msg:"ET CNC Shadowserver Reported CnC Server UDP group 2";)

    0/1 rules were successfully converted, total of 0 IPS protections were found.
    For more details please see $FWDIR/log/SnortConvertor.elg file.
    The configuration is up to date, therefore no changes were made.

    ##################

    And this is successful

    [Expert@GPMGMT:0]# SnortConvertor update -f test2.rules
    1/1 rules were successfully converted, total of 1 IPS protections were found.
    1/1 IPS protections were updated
    Updating database...

    alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)

  2. #2
    Join Date
    2012-06-13
    Posts
    302
    Rep Power
    6

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    Well I feel it doesn't like IP address mentioned in the signature..Any idea how to override that?

  3. #3
    Join Date
    2012-06-13
    Posts
    302
    Rep Power
    6

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    OK - I figured it out the issue and able to import the rule :)

    CP does not like the Snort rule without content keyword, I added that it got imported perfectly!

  4. #4
    Join Date
    2008-01-25
    Location
    Karlsruhe / Germany
    Posts
    15
    Rep Power
    0

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    Hi Blason,

    I have the same problem you had.
    Is there any relevant need of the content option which CP tries to enforce?
    Do I have specific content options or can I just add what I like to add?
    I tried quotes without contents. This caused a coredump :D

    Thanks in advance.

    BR
    Sven

  5. #5
    Join Date
    2008-01-25
    Location
    Karlsruhe / Germany
    Posts
    15
    Rep Power
    0

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    I have to add that I wanted to add a rule that works like a blacklist without triggering specific content.

Similar Threads

  1. Unable to fetch Suspicious Activity Rule
    By cp-eng in forum SmartView Monitor
    Replies: 0
    Last Post: 2012-09-26, 10:18
  2. Firewall log can't generate
    By akyawmaung in forum SmartView Monitor
    Replies: 1
    Last Post: 2008-12-23, 23:02
  3. Unable to generate Express reports
    By Infospark in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 3
    Last Post: 2008-11-03, 12:00
  4. Generate CA certificate problem
    By Brian Kwok in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2006-11-21, 02:22
  5. Checkpoint logging causes EventiaReporter unable to generate report
    By fazrul in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 0
    Last Post: 2006-10-01, 01:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •